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Abstract 



In this thesis I will give a formal definition of side effects. I will do so by 
modifying a system for modelling program instructions and program states, 
Quantified Dynamic Logic, to a system called DLAf (for Dynamic Logic with 
Assignments as Formulas), which in contrast to QDL allows assignments in 
formulas and makes use of short-circuit evaluation. I will show the underlying 
logic in those formulas to be a variant of short-circuit logic called repetition- 
proof short-circuit logic. 

Using DLAf I will define the actual and the expected evaluation of a single 
instruction. The side effects are then defined to be the difference between the 
two. I will give rules for composing those side effects in single instructions, 
thus scaling up our definition of side effects to a definition of side effects in 
deterministic DLAf-programs. Using this definition I will give a classification of 
side effects, introducing as most important class that of marginal side effects. 
Finally, I will show how to use our system for calculating the side effects in a 
real system such as Program Algebra (PGA). 
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Introduction 



1.1 What are side effects? 

In programming practice, side effects are a well-known phenomenon, even though 
nobody seems to have an exact definition of what they are. To get a basic idea, 
here are some examples from natural language and programming that should 
explain the intuition behind side effects. 

Suppose you and your wife have come to an agreement regarding grocery 
shopping. Upon leaving for work, she told you that "if I don't call, you do not 
have to do the shopping". Later that day, she calls you to tell you something 
completely different, for instance that she is pregnant. This call now has as side 
effect that you no longer know whether you have to do grocery shopping or not, 
even though the meaning of the call itself was something completely different. 

Another example is taken from [3] . Suppose someone tells you that "Phoebe 
is waiting in front of your door, and you don't know it!" This is a perfectly 
fine thing to say, but you cannot say it twice because then it will no longer 
be true that you don't know that Phoebe is waiting (after all, you were just 
told). Here, the side effect is that your knowledge gets updated by the sentence, 
which makes the latter part of that sentence, which is a statement about your 
knowledge, false. 

As said, in programming practice, side effects are a well-known phenomenon. 
Logically, they are interesting because the possible presence of side effects in a 
program instruction sequence invalidates principles of propositional logic such 
as commutativity {(j) A ip A 4>) and idcmpotency (0 A -fT- 0) . The textbook 
example is the following program: 

x:=l 

if (x:=x+l and x=2) then y 

Here the operator := stands for assignment and = for an equality test. Assuming 
an assignment instruction always succeeds (that is, yields the reply true), in 
the above example the test 4> A'tp, where is the instruction x:=x+l and the 
instruction x=2, will succeed and therefore, y will be executed. However, should 
the order of those instructions be reversed {ip A (/>), this no longer will be the 
case. The reason is that the instruction has a side effect: apart from returning 
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true, it also increments the variable x with 1, thus making it 2. If (j) is executed 
before '0, the test in ijj (x=2) will yield true. Otherwise, it will yield false. 

It is easy to see that should (j)Atp he executed twice, the end result will also 
be false. Therefore, for x = A "0, wc have that X ^ X X- 

1.2 What are steering fragments? 

Now that I have given a rough idea of what side effects are, the reader is probably 
wondering about the second part of my thesis title: that of steering fragments. 
A steering fragment or test is a program fragment which is concerned with the 
control flow of the execution of that program. To be exact, a steering fragment 
will use the evaluation result of a formula (which is a Boolean) and depending 
on the outcome, will steer further execution of the program. Thus, a steering 
fragment consists of two parts: a formula and a control part which decides what 
to do with the evaluation result of that formula. Throughout this thesis, I will 
be using the terms steering fragment and test interchangeably. 

The formula in a steering fragment can either be a primitive or a compound 
formula. The components of a compound formula are usually connected via 
logical connectives such as A and V, or involve negation. If the formula of a 
steering fragment is compound, we say that the steering fragment is a complex 
steering fragment. 

We have already seen a classical example of a (complex) steering fragment 
in the previous section: the if . . . then instruction. In the example above, the 
formula is a compound formula with x :— x + 1 and x = 2 as its components, 
connected via the logical connective A. The control part of this steering frag- 
ment consists of if and then and the prescription to execute y if evaluation of 
x:=x+l and x=2 yields true. 

1.3 Related work 

The main contribution of this thesis is to construct a formal model of side effects 
in dynamic logic. Because of that, I only had limited time and space to properly 
research related work done in this area. Despite that, I will briefly describe some 
references I have come across throughout this project. 

Currently, a formal definition of side effects appears to be missing in litera- 
ture. That is not to say that side effects have been completely ignored. Attempts 
have been made to create a logic which admits the possibility of side effects by 
Bergstra and Ponse [S]. Furthermore, an initial, informal classification of side 
effects has been presented by Bergstra in [T]. I will return to those references 
later in this thesis. 

Black and Windley have made an attempt to reason in a setting with side 
effects in [3 [5] . In their goal to verify a secure application written in C using 
Hoare axiomatic semantics to express the correctness of program statements, 
they encountered the problem of side effects occurring in the evaluation of some 
C-expressions. They solved the problem by creating extra inference rules which 
essentially separate the evaluation of the side effect from the evaluation of the 
main expression. 
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Also working with C is Norrish in [17] . He presents a formal semantics for C 
and he, too, runs into side effects in the process. Norrish claims that a semantics 
gives a program meaning by describing the way in which it changes a program 
state. Such a program state would both include the computer's memory as well 
as what is commonly known as the environment (types of variables, mapping of 
variable names to addresses in memory etc.). Norrish claims that in C, changes 
to the former come about through the actions of side effects, which are created 
by evaluating certain expression forms such as assignments. Norrish' formal 
semantics for C is able to handle these side effects. 

Bohm presents a different style of axiomatic definitions for programming lan- 
guages [6]. Whereas other authors such as Black and Windley above use Hoare 
axiomatic semantics which bases the logic on the notion of pre- or postcondition, 
Bohm uses the value of a programming language expression as the underlying 
primitive. He relies on the fact that the underlying programming language is an 
expression language such as Algol 68 [H]. Expressions are allowed to have ar- 
bitrary side effects and the notions of statement and expression coincide. Bohm 
claims that his formalism is just as intuitive as Hoare-style logic and that the 
notion of 'easy axiomatizability' — which is a major measurement of the quality 
of a programming language — is a matter of a choice of formalism, which in 
turn is arbitrary. 

In this thesis I will develop a variant of Dynamic Logic to model side effects. 
Dynamic Logic is used for a wide range of applications, ranging from modelling 
key constructs of imperative programming to developing dynamic semantic the- 
ories for natural language. An early overview of dynamic logic is given by Harel 
in |15j . More recently. Van Eijck and Stokhof have given an extensive overview 
of various systems of dynamic logic in . 

1.4 Overview of this thesis 

Intuitively, a side effect of a propositional statement is a change in state of 
a program or model other than the effect (or change in state) it was initially 
executed for. In this thesis I will present a system that makes this intuition 
explicit. 

First, in Chapter[2]I will present the preliminaries on which my system, that 
can model program instructions and their effect on program states, is based. 
This system, which I present in Chapter |21 will be a modified version of Quan- 
tified Dynamic Logic, overviews of which can be found in [TSl [TT] . 

After introducing some terminology and exploring the logic behind this sys- 
tem in Chapters [3] and [SJ I can formally define side effects, which I will do in 
Chapter [51 In Chapter [7] I will proceed to giving a classification of side effects, 
introducing marginal side effects as the most important class. 

In Chapter [5] I will present a case study to see this definition of side effects 
in action. For this I will use an — again slightly modified — version of Program 
Algebra [3]. I will end this thesis with some conclusions and some pointers for 
future work. 
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Preliminaries 



2.1 Introduction 

In order to say something useful about side effects, we need a formal definition. 
Such a definition can be found using dynamic logics. The basic idea here is that 
the update of a program instruction is the change in program state it causes. 
This allows us to introduce an expected and an actual evaluation of a program 
instruction. The expected evaluation of a program instruction is the change 
you would expect a program instruction to make to the program state upon 
evaluation. This may differ, however, from the actual evaluation, namely when 
a side effect occurs when actually evaluating the program instruction. The side 
effect of a program instruction then is defined as the difference in expected and 
actual evaluation of a program instruction. 

To flesh this out in a formal definition, we first need a system that is able 
to model program states and program instructions. Quantified Dynamic Logic 
(QDL) is such a system. QDL was developed by Harel [H] and Goldblatt [T5] . 
It can be seen as a first order version of Propositional Dynamic Logic (PDL), 
which was developed by Pratt in [121 HO] ■ Much of the overview of both PDL 
and QDL I will give below is taken from the overview of dynamic logic by Van 
Eijck and Stokhof [TT]- 

Dynamic logic can be viewed as dealing with the logic of action and the 
result of action [TT]. Although various kinds of actions can be modelled with 
it, one is of particular interest for us: the actions performed on computers, 
i.e. computations. In essence, these are actions that change the memory state 
of a machine, or on a somewhat higher level the program state of a computer 
program. 

Regardless of what kinds of actions are modelled, the core of dynamic logic 
can in many cases be characterized in a similar way via the logic of 'labelled 
transistion systems'. A labelled transition system or LTS over a signature (P, A), 
with P a set of propositions and A a set of actions, is a triple {S, V, R) where S 
is a set of states, V : S ^(-P) is a valuation function and R = {— >C S x S \ 
a S ^} is a set of labelled transitions (one binary relation on S for each label 
a). 

There are various versions of dynamic logic. Before I will introduce two of 
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these, I will first describe the setting I will be using in my examples. This setting 
consists of a toy programming language that is expressive enough to model the 
working examples I need to discuss side effects. 



2.2 Toy language 

My toy language should be able to handle assignments and steering fragments. 
The steering fragment can possibly be complex, so our toy language should be 
able to handle compound formulas: multiple formulas (such as equality tests) 
connected via logical connectives. In particular, I will be using short-circuit 
left and and short-circuit left or (V) as connectives. Finally, assignments 
should be allowed in tests as well: they are, in line with what one would expect, 
defined to always return true. 

As toy language I will first present the WHILE language defined by Van Eijck 
in We will sec soon enough that we will actually need more functionality 
than it offers, but it will serve us well in the introduction of PDL, QDL and the 
illustration of the problems we will run into. 

The WHILE language works on natural numbers and defines arithmetic ex- 
pressions. Boolean expressions and programming commands. Arithmetic ex- 
pressions a with n ranging over numerals and v over variables from a set V are 
defined as follows: 

a ::= n | w | ai -|- 02 | ai * 02 | ai 02 

Boolean expressions are defined as: 

B :■= T \ ai = 02 \ ai < a2 \ \ Bi V B2 

Finally, we define the following programming commands: 

C ::= SKIP | ABORT \ v a \ Ci; C2 | IF B THEN Ci ELSE C2 

For the sake of simplicity, we will postpone the introduction of the WHILE 
command until after we have presented our modified system in Chapter [3l 

The semantics of the arithmetic expressions are fairly self-explanatory. We 
assume that every numeral n in has an interpretation I{n) G N and let g 
be a mapping from V to N. We then have the following interpretations of the 
arithmetic expressions, relative to initial valuation or initial program state g: 

Ms Hn) 

Ms ■■= g{v) 

[ai +a2lg := [[ails + Nig 
{ai * a2lg := lai\g * [aslg 
[ai ^ a2lg {ailg ^ [a2lg 



The semantics of the Boolean expressions are standard as well, writing T for 
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true and F for false: 



fax < a2h := 



I T if lail, = laaL 
I F otherwise 

\t if lailg < la^j, 
I F otherwise 

\t if = F 

I F otherwise 

\t if iBil, = T or = T 

F otherwise 



The semantics of the commands of the toy language can be given in various 
styles. Here I take a look at a variant called structural operational seman- 
tics It is specified using a transition system from pairs of a state and a 
command, to either a state or again a state and a (new) command. 

First I will give the transitions for the assignment command. It looks like 
this, where we write g[v t] for the valuation which is like valuation g except 
for the variable v, which has been mapped to t: 

ig,v:=t)=^g[v^mg] 

Here we have the pair of state g and the assignment command v := a at the 
start of the transition. After the transition, we only have a new state left, since 
the execution of this command has finished in a single step. 

The SKIP command does nothing: it does not change the state and it finishes 
in a single step. 

(5, SKIP) =^ g 

In structural operational semantics, there are two rules for sequential com- 
position, one for when program Ci finishes in a single step and one for which it 
does not. 

{g,C,)^g' 



{g,Ci;C2)^{g',C2) 

{g,C,)^{g',C[) 
ig,Ci;C2)^{g',C[;C2) 



Finally, we have the rules for conditional action. There are two (similar) 
rules, depending on the outcome of the test: 

Mcj = T 



{g, IF B THEN Ci ELSE C2) =^ (5, Ci) ' 
{g, IF B THEN Ci ELSE C2) =^ {g, C2) ^ ^ 
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2.3 Prepositional Dynamic Logic 



Now that I have introduced the toy language, it is time to take a look at the 
first version of dynamic logic we are interested in: Propositional Dynamic Logic 
(PDL in short). The language of PDL consists of formulas 4> (based on basic 
propositions p G P) and programs a (based on basic actions a £ A): 



0::=T|p|-(/)|0iV02 I {a)(t) 
a ::= a \ 1 (f> \ ai] a2 \ <xi U a2 \ cx* 



As the name suggests, PDL is based on propositional logic. This means that 
the usual properties such as associativity and duality are valid and will be used 
throughout. Furthermore, we can use the following abbreviations: 



_L = 

01 A 02 = -'(-'01 V -'02) 
01 — > 02 = -'01 V 02 
01 O 02 = (01 ^ 02) A (02 ^ 0l) 

[a]0 = -i(a)-i0 



The relational composition Ri o R2 of binary relations i?i, R2 on state set S 
is given by: 



i?i o i?2 = {(ii,i2) eSxS\ 3h{{hM) eRiA {hM e R2))} 



The n-fold composition i?" of a binary relation R on S with itself is recursively 
defined as follows, with / the identity relation on S: 



R°^I 



Finally, the rcfiexive transitive closure of R is given by: 

R* = [j i?" 



To define the semantics of PDL over basic propositions P and basic actions A, 
we need the labelled transistion system T = {St,Vt,Rt) for signature {P,A). 
The formulas of PDL arc interpreted as subsets of St, the actions as binary 
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relations on St- This leads to the following interpretations: 
rf = St 

fpf = {seST\peVTis)} 
h</.f ^St- 

Hi V = UiV u ihf 

l(a)0f = {seST\ 3t{s,t) e laf and t e [^f } 
faf ^ At 

I7<j,f ^{{s,s)eSTxST\sel4>f} 

Ia*f = (laf)* 

The programming constructs in our toy language are expressed in PDL as fol- 
lows: 

SKIP := ?T 
ABORT := ?± 
IF (j) THEN ai ELSE := (?0; ai) U (?-0; aa) 

Although PDL is a powerful logic, it is not enough yet to properly model the 
toy language we need. The reason for that is the need for assignments. Since 
assignments change relational structures, the appropriate assertion language 
is first order predicate logic, and not propositional logic [TT]. So instead of 
PDL, which as the name suggests uses propositional logic, we need a version 
of dynamic logic that uses first order predicate logic. This is where Quantified 
Dynamic Logic (QDL in short) comes in. 

2.4 Quantified Dynamic Logic 

The language of QDL consists of terms t, formulas and programs tt. For 
functions / and relational symbols R we have: 

i ::= w I fti ...tn 
(/)::= T I Rti...tn \ h = t2 \ ^(f> \ W (f>2 \ | (^)<^ 

TT ::~ U := ? I W := t I ?0 I TTi; 772 I TTl U 7r2 I TT* 

In the case of natural numbers, examples of / are +, * etc. and examples of 
R arc < and >. The same abbreviations as in PDL arc used, most notably 
_L = and [ttJ^ = -i(7r)^(/). 

The random assignment {v :~ ?) docs not increase the expressive power of 
QDL [llj . It can, however, be nicely used to express the universal and existential 
quantifier: 

3w(/) o {v := ?)(/) 
Vvcj) ^ [v := ?](/) 
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The pair (/, R) is called a first order signature. A model for such a signature 
is a structure of the form 

M = {E^ij^',R^^') 

where i? is a non-empty set, the /^^ are interpretations in E for the members 
of / and the R^^ similarly are the interpretations in E for the members of R. 
Now let V be the set of variables of the language. Interpretation of terms in M 
is defined relative to an initial valuation g : V — > i?^^: 



Ifh 



Hf -.9(^0 



(QDLl) 
(QDL2) 



Truth in A/ for formulas is defined by simultaneous recursion, where g h 
then means that h differs at most from g on the assignment it gives to variable 
v: 



M h,T 


always 




(QDL3) 


M hg Rtl... tn 


iff(Mg'',.. 


. . , Itjf ) G R" 


(QDL4) 


M hg h = t2 


iff Ihf/ = 




(QDL5) 


M hg -0 


iff M hg 




(QDL6) 


M hg 01 V 02 


iff M hg 01 


or Af hg 02 


(QDL7) 


M hg 3«0 


iff for some 


ft, with 5 /i. A/ h/i 


(QDL8) 


M hg (7r)0 


iff for some 


ftwith<,l7rlf,MK0 


(QDL9) 



The same goes for the relational meaning in Af for programs: 
glv :=tlf iSh = g[v^ltf/] 



^f,' iSg = h and M h 
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g[7ri;7r2lf iff 3/ with glvnlf and /Itt^J^- 



M 



gNUTTalf iff gi7ry;r orgl^zK" 



If iff9 



/i or 



A/ 



7r:7r 



Iff 



(QDLIO) 
(QDLll) 
(QDL12) 
(QDL13) 
(QDL14) 



The above definition makes concatenation (;) an associative operator: 

(tti; 7r2); TTs = tti; (7r2; tts) 

As a convention, we omit the brackets wherever possible. 

Although QDL goes a long way to modelling our toy language and program 
states, we are not quite there yet. The modifications we have to make come to 
light when we examine the expressive power of QDL. QDL currently has more 
expressive power than it has semantics defined for. This problem surfaces when 
the modality operator is nested within a test, like this: 



This is the program ?0, with = (tt)?/;, t: = v := t and -0 = T. As the semantics 
of QDL are currently defined, the program tt will make a change to an initial 
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valuation g if it is interpreted in it, returning valuation h where the assignment g 
had for variable v will be expressed by t. This is expressed by QDLIO. However, 
the current semantics only assign relational meaning to a test instruction as 
long as g = h, as expressed by QDLll. 

Another similar example is the following: 

:= V + l;v:= V ^ 1)T) 

Although this situation should be similar as above, it is not: because the pro- 
gram state gets changed twice, QDL now is able to assign semantics to this 
program since the program state gets returned to the original state by the sec- 
ond program instruction (and we therefore have g = h). 

So, not only can we devise even a very simple correct QDL-program for 
which there are no semantics defined, we can also give a very similar example 
for which QDL does define semantics. Not only docs that somewhat erratic 
behavior seem undesirable, but the nature of the examples here present us with 
a problem when we arc considering side effects. Exactly for the situations in 
which side effects occur, namely when an instruction in a test causes a change 
in the program state, there arc no semantics defined in QDL. Therefore, I am 
going to have to modify QDL so that it does define semantics in those situations. 
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3 

Modifying QDL to DLAf 



3.1 Introducing DLAf 



In this chapter I will present Dynamic Logic with Assignments as Formulas, or 
DLAf in short, the resulting dynamic logic after making two major modifications 
to QDL. The modifications I will make are such that DLAf can model the 
specific kinds of constructions that we are interested in. This means that, like 
the name suggests, we have to introduce semantics for assignments in formulas. 
Furthermore, we will drop or modify some other QDL-instructions that we do 
not need. Because of that DLAf evades the problem of QDL mentioned in 
Section 12.41 of the previous chapter and one other problem I will get back to in 
Section 13.31 Before I introduce DLAf, however, I will show the modifications 
that need to be done to Van Eijek's WHILE language so that it can model the 
instructions we need. 

In the WHILE language. Boolean expressions are assumed to cause no state 
change upon evaluation. However, for our purpose this is inadequate. We 
want to allow assignments in tests as well and they cause a state change. This 
warrants the first modification to the WHILE language and its semantics: as- 
signments are allowed in Boolean expressions. The second modification is that 
the Boolean OR function will be replaced by a short-circuit version: 



The new semantics for Boolean expressions are like the semantics defined by 
Van Eijck, with as major difference that there are now semantics defined for 
assignments: 



Furthermore, Boolean expressions now might introduce a state change, so every 
command containing a Boolean expression (which for now only is the IF THEN 
ELSE command) should account for that. In structural operational semantics, 
we take a look at how the Boolean expression changes the state and perform 
the remaining actions in that new state: 



B ::= T \ ai = 02 \ ai < 02 \ \ Bi'\/ B2 \ V -.^ a 



Iv := ojg := T 




(5, IF B THEN Ci ELSE C2) 
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And similar for the case that |-B]]g = F. 

As said, there is one more thing that needs to be modified in the language 
above. In order to be properly able to reason about side effects, the order in 
which the tests get executed is important. Because of that, the OR construct 
in Boolean expressions needs to be replaced by a short-circuit directed version: 



We will make use of its dual, the short-circuit left and {^) too. It is defined 
similarly as above. As a convention, from here on V and J\ can be used 
interchangeably in definitions, unless explicitly stated otherwise. Both as 
well as J\ are associative. We again omit brackets wherever possible. 

All we have left to define now is the state change a Boolean can cause. This 
is defined as follows: 



Missing in the above WHILE language are the random assignment and the 
existential quantifier. This is because I have decided to drop them. The reason 
for that is that they can cause non-deterministic behavior and in this thesis, 
we are not interested in the (side effects of) non-dctcrministic programs. In 
fact it is questionable whether we can say anything about side effects in non- 
deterministic programs, but I will return to that in my possibilities for future 
work in Chapter [3] Aside from that, in our context of (imperative) programs, 
the random assignment is an unusual concept at best. The same goes for the 
formula 3v(j). 

With those modifications to the toy language in mind, we can take a look 
at the similar modifications that need to be made to QDL. In the resulting 
dynamic logic DLAf, we keep the same terms: 



In DLAf we of course drop the random assignment and existential quantifier, 
too. By dropping them, we lose the quantified character of QDL. Because of 
that, the resulting logic is no longer called a quantified dynamic logic. The 
first major change to QDL, besides the absence of the random assignment and 
the existential quantifier, is that I replace the (7r)(/) command with the weaker 



This modification explicitly expresses the possibility of assignments in formulas. 
All other programs, however, arc no longer allowed in formulas. Because of this 
modification we will avoid a number of problems that QDL has, while keeping 
the desired functionality that there should be room for assignments in formulas. 
I will address these problems in detail in Section 13.31 

We have also replaced the V connective with its short-circuit variant (V) 
and for convenience, have explicitly introduced its dual We will return to 
the motivation for this change at the end of this chapter. 





t::^v\ fti...t 



■n 



[v := t]T: 



::= T I Rti . . . t„ | ti = | | 0i V 02 | </>i ^ (^2 | b ■= i]T 
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We also need to replace the QDL-formula associated with this command 
(QDL9). The truth in M for the new command is defined as follows: 

M |=g [v := t]T always (DLA9) 

It should come as no surprise that this always succeeds, since assignments always 
succeed and yield true. Since this formula always succeeds, we replaced the 
possibility modality {{v := t)T) for the necessity modality {[v := t]T). The 
reason wc keep this formula in the form of a modality at all (and not just 
V :~ t), is because formulas of this form can change the initial valuation. This 
is in sharp contrast to the basic formulas ti = ^2 and Rti . . .t2, which do not 
change the initial valuation and are typically not modalities. Because of that, 
it is unintuitive to write the assignment formula as v := t. 

On a side note: in our toy language we do simply write v :~ t for the assign- 
ment, regardless of where it occurs. This is because in the world of (imperative) 
programming, assignments are allowed in steering fragments. 

We will see below that we are going to accept possible state changes in 
formulas, in contrast to the original QDL versions. For this we will use a 
mechanism to determine when a state change happens, that is, a function that 
returns the program(s) that are encountered when evaluating a formula 0. This 
function is defined as follows: 

Definition 1. The program extraction function 11^ : — > tt returns for 
formula (j) the program(s) that are encountered when evaluating the formula given 
modal M and initial valuation g. It is defined recursively as follows: 

nf(T) = ?T 
nf (i?ii...i„) = ?T 
nf(ti = <2)-?T 
nf(^0) = nf(0) 



\nf (</.!); nf (02) anrf,[nf(0i)lf 

92) |nf(0i);nr(02) z/Af K 0i «"rf.inf (0i)lf 

U'/i[v:=t]T) = iv:^t) 

In the first three cases, no programs are encountered. Therefore, the pro- 
gram extraction function returns the empty program (?T). The formula ->(/) is 
transparent, that is, it returns any program encountered in its subformula (f>. 
Because of the short-circuit character of and J\, a case distinction is made 
here: in case of 'V, (/)2 will not be evaluated if 4>i yields true, therefore only 
the program(s) encountered in will be returned. Otherwise, the result is a 
concatenation of the program(s) encountered in 01 and 02. Obviously, for ^ 
the opposite is the case and this clause is derivable from the previous one using 
duality. Finally, if the formula is an assignment, the program equivalent of that 
assignment is returned. 

Because the evaluation of a formula now can cause a state change, the orig- 
inal definition for the truth in M of V (QDL7) is no longer valid. In case 0i 
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contains an assignment, (j)2 niust be evaluated in a different valuation, namely 
the one resulting after evaluating (jfi in the initial valuation: 

M hff '/'I V 4>2 iff for glU^/{cb,)ii',M h<, 0i or M h/. 02 (DLA7a) 

Since we have added J\ to formulas as well, we also explicitly have to define the 
truth in M for J\ , which is similar to the updated definition of V : 

M hs 01 ^ h iff for gpf (0i)]f , M hg 01 and 7\/ 02 (DLA7b) 

Although V and ^/V use short-circuit evaluation, wc do not explicitly have to 
define them as such above because we will make sure, via the program extraction 
function and an updated version of QDL 11 (see below), that the valuation does 
not change as a result of 02 when M 0i is true (in case of V) or false (in 
case of j^). 

We can now turn our attention to programs in DLAf. Besides the absence 
of the random assignment, what a program tt can be does not change: 

TT ::= w := t I ?0 I TTi; 7r2 I TTi U 7r2 I tt* 

To remedy the problem that more things can be expressed in QDL than there 
are semantics for, we need, as mentioned earlier, to accept that a state change 
can occur when evaluating a program containing formulas. In the case of QDL, 
that only is the test instruction, given semantics earlier in QDLll. So, as second 
major change we need to replace QDLll by: 



gi vi\h 1 M hff and gpf (0)1,, otherwise ^ ' 



The choice here is in place to avoid looping behavior when evaluating g|?T|,i. 

The definitions above make extensive use of the empty program (?T). In 
what follows, it will be handy to know that the empty program is truly empty. 
In particular, we would like to have tt; ?T = tt and ?T; tt ~ n. I will prove that 
below. 

Lemma 3.1.1. For any program tt, initial valuation g, output valuation h and 
model M 

Proof. The proof follows from the above defined QDL-axioms: 

g[^;?T]f iff 3/,Wf and/I?T], 

Since we have /|?T|,i iff / = h and M |=/ T, and since the latter is always 
true, we have 

,[^;?Tlf iffgMf 

□ 

Lemma 3.1.2. For any program tt, initial valuation g, output valuation h and 
model M 



3.2. A WORKING EXAMPLE 
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Proof. Similar as for Lemma 13.1.1 1 □ 

The change to QDLll has remedied the problem that there are expressions 
in QDL for which there are no semantics defined. Of course I made a second 
major change — namely replacing (7r)(/) by [v := t\T . The reason for that will 
come to light as soon as I will reintroduce the WHILE command in Section [3731 
Before I will do that, however, I will first discuss a working example to provide 
some more insight into the inner workings of DLAf . 



3.2 A working example 

In this section I will present a working example to illustrate how DLAf works. 
I will use the following program, presented here in our toy language: 

X := 1; 

IF {x:=x + lj\x^2) 
THEN y := 1 
ELSE y := 2 

In DLAf, this translates to: 
X :~ 1; 

(?([x:=x + l]T^a; = 2);y :=1) 
U 

(?-([x:=.T + l]T^a. = 2);2/:=2) 

The valuations g^h, . . . are defined for all variables w 6 V, i.e. they are total 
functions. Usually we are only interested in a small number of variables, e.g. x 
and y, in which case we talk about a valuation g such that g{x) = g{v) = 
p'l^-'^, or if valuation h is an update of valuation g, h ^ g[x n- ft^g^ ,y i-> ft'^g^] 
(which is a shorthand for g[x i-^ P'l^^])- In examples we discuss 

we take for A/ the model of the natural numbers and we use numerals to denote 
its elements. 

Since we are working on natural numbers, as constants we have n ranging 
over numerals, as functions we have +, * and — , and as extra relation we have 
<. Our model A/ contains those constants, functions and relations. Assume we 
have an initial valuation g that sets x and y to 0: g{x) ~ g{y) ~ 0. We will 
now first show how the program in our toy language gets evaluated using the 
structural operational semantics we provided in Chapter O 

(g, {x := 1;IY {x -.^ X + I ^ x = 2) THEN y := 1 ELSE y:=2))=^ 
{g[x ^ 1], (IF (a; := x + 1 j\ a; = 2) THEN y := 1 ELSE y := 2)) 

We now need to know \{x := x + \ J\ x = 2)]]g[a,^^i] = T. We can easily see 
that it is and furthermore updates the valuation again by incrementing x by 1. 
Thus we get as valuation g[a; i— > 2] and we can finish our evaluation as follows: 



{g[x^2l{y:^l)) 



g[x 2,y 1] 
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Having seen how our example program evaluates using the semantics for our toy 
language, we can turn our attention to the evaluation using DLAf. We need to 
ask ourselves if g[7r|j)^ exists (with tt the program above), that is, if there is a 
valuation h that models the state of the program after being executed on initial 
valuation g. 

Schematically, tt can be broken down as follows: 



TT 


:— ttq 








:= X : 


= 1 




71-1 






U (?-i0o;7r3 


7r2 


y ■ 


= 1 






■= y ■ 


= 2 








(A 02 






[x 


cc ^ 


-1]T 




:~ X - 


= 2 





The break-down above paves the way to evaluate g|7r|jj^ using the DLAf- 
axioms given in the previous sections. We start by applying QDL12: 

iff 3/ s.th. and/I^ilf 
We find / by evaluating g|x := l]^^ using QDLIO and QDLl: 
,lx:= llf iff/ = .g[.x^Illf] 

= g[x ^ 1] 

Now we need to evaluate /|(?0o; ^^2) U (?^0o; '"'s)!*''^- Using QDL13, we get: 

/[(?0o;7r2)U(?-0o;7r3)lf iff /[?0o;7r2lf or/[?-0o;7r3lf 

First we turn our attention to /|?(/)o; i'2l?l''- Using QDL12 again we get 3d such 
that /pf/'old''^ and d|7r2|j)''^. To evaluate the former, we need to use our own rule 
DLAll. Here wc need the program extraction function H for the first time: 

/l?0olf - fl?{[x:=x + l]T^{x = 2))r/ 
iff M h/ [x ■.^x + 1]T J\ {x = 2) 
and/pf ([x:=x + l]T^(x = 2))lf 

Wc will first have a look at the program extraction function H. Below wc will 
see how it calculates the programs that arc encountered while evaluating the 
formula {x := x + 1) ^ {x = 2): 

Ufiix ■.= x + 1]T ^{x = 2)) = ny{[x ■.= x + 1]T); Hf (x = 2) 

= {x :=x + l);?T 

Therefore, we have: 

fim'/^ /I?([x:=.T + l]T^(.T = 2))lf 
iS M\=f [x :=x + 1]T ^ (x = 2) 
and flx:=x + l; IJfJ iff ffx -.^ x + Ijf 
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The first of these two, M \= f [x := x + IJT^^ (x = 2), nicely shows why we need 
an updated version of J\ and V . As we already noticed the test (po contains a 
program (the assignment x x + 1) and therefore the state (valuation) changes. 
As we will see, this will change the outcome of the second part of the test. We 
need DLA7b and our program extraction function 11 here: 

Af h/ ■=x + l)j\ {x = 2) iff for fix := x + Ijf ,Af {x:=x + l) and 

M he (x = 2) 

M \=f {x := X + 1) is defined by DLA8 to be always true. Applying QDLIO 
on ffx :— X + Ij^^ will give us c = f[x i-^ 2]. We can then apply QDL5 on 
M ^cix = 2): 

M he {x - 2) iff = I2lf 

We can easily see (using QDLl) that |a;]f = c{x) = 2 = 12}^'. Therefore, we 
have M \=cix = 2) and thus M \= f [x := x + 1]T J\ {x ^ 2). 

Wc now need to finish the evaluation of DL All by evaluating / |x := x+l]^. 
This can again be done using QDLIO and gives us d = f[x i-> 2]. Because the 
test <j>o has now succeeded, we can continue to the evaluation of (i[[7r2]]^^ = 
dfy := ll/l^- This will give us /i = d[y 1]. Having already established that 
7(f>o succeeds, we also know that will not succeed. Therefore, we are done 
with the evaluation of this program tt, getting that g|7r]]jj^ with g{x) = g{y) = 
is indeed possible with h = g[x ^ 2, y i— >■ 1]. 



3.3 Re-introducing WHILE 

In Section I introduced our toy language, which was like Van Eijck's WHILE 
language, but without a WHILE (or: guarded iteration) programming com- 
mand. Now that we have seen DLAf in action in our simplified toy language, it 
is time to re-introduce the WHILE command. After doing that, we will see that 
the re-introduction of WHILE raises some more issues that warrant the second 
modification I made to QDL, namely replacing the formula (7r)(/) with [v := t]T . 



3.3.1 The WHILE command 

The WHILE command takes the form WHILE B DO C. The complete list of 
programming commands in our toy language then is: 

C ::= SKIP | ABORT | v := a | Ci; C2 | IF B THEN Ci ELSE C2 I 
WHILE B DO C 

In structural operational semantics, the semantics for the guarded iteration are 
as follows. There are two options: if the guard {B) is not satisfied, command C 
is not executed. Instead, the command finishes, with as only (possible) change 
the change that the evaluation of guard B has made to the state: 

{g,B)=^g' ^ 
((?, WHILE S DO C) =^ g' ^ 

If the guard is satisfied, the rule becomes a little more complicated because 
command C gets executed in a state which is possibly changed by guard B. 
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Like before, we have two cases: one for which C finishes in a single step and 
one for which it does not. 



(5, WHILE B DO C) =^ (g", WHILE B DO C) 
(g, WHILE BBO C) => (5", C"; WHILE B DO C) ' 



Bi9 = T 



3.3.2 WHILE in DLAf 

In PDL, and therefore QDL and DLAf, WHILE is expressed as follows: 

WHILE DO a := (?0; 

Thanks to the updated rule for Icf) (DLAll), DLAf is able to handle programs 
with WHILE perfectly. To see how this works, consider the following example: 

X := 0; 
y :=0; 

WHILE {x := x + 1 J\ X <2) 
D0y:=y + 1 

In DLAf, this translates to: 

X := 0; 
y :=0; 

(?([x:=.T + l]T^x<2);2/:=y + l)*; 
:^x + 1]T J\ x < 2) 

After the first two commands, we have g(x) = g{y) = 0. We now need to 
look at how the * operator is evaluated. QDL14 states that g|7r*|j^''^ iS g = h 
or g|7r; TT*]^'^). This means that tt is either executed not at all (in which case 
g = h) or at least once. In our case, tt = 7{[x :~ x + 1]T J\ x < 2);y := y + 1. 

The first option is that tt is executed not at all, in which case g = h. However, 
under this valuation h there is no possible valuation h' after evaluation of the 
next program command (?~'([a; := x + ljT^/Xx < 2)). In other words, := 
a; + 1]T ^ a; < 2)]^f is false. Therefore, we have to turn our attention to the 
other option given by the * command, which is g[7r;7r*]^^. For the evaluation 
of this we first need QDL12, which tells us that there has to be an / such that 
g|7r]^ and /Jtt*]]^^. In Section we have already seen how g|7r]j^ evaluates; 
it will succeed and result in a new valuation f ~ g[x ^-^ \,y ^ 1]. 

Now we need to evaluate tt* again, but this time with a different initial 
valuation (namely /). This loop continues until we arrive at a valuation /' for 
which the final program command (the test l^{\x := x -\- 1]T J\ x < 2)) will 
succeed. In our example, this happens in the second iteration, when we have 
/' = I— >■ 2, y I— > 2], giving us a resulting valuation ft, = g[a; n- 3, j/ 1-^ 2], which 
is exactly what we would expect given this WHILE loop. 
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3.3.3 Looping behavior and abnormal termination 

An interesting problem regarding the WHILE language and QDL is that WHILE 
T DO SKIP (looping behavior) and ABORT (abnormal termination) are indis- 
tinguishable. In some semantics, such as natural semantics, this is also the case 
[llj . In structural operational semantics, however, there is an (infinite) deriva- 
tion sequence for WHILE T DO SKIP, whereas there is no derivation sequence 
for ABORT. 

Using the standard lemma that (7ri;7r2)0 O {■ni){'K2)4' (cf- dSHHl) we can 
prove the equivalence of WHILE T DO SKIP and ABORT in QDL. To do so, 
we need to ask if ((?T; ?T)*; o (?_L)(/). 

Theorem 3.3.1. In QDL, looping behavior and abnormal termination are equiv- 
alent: for any (j) 

((?T;?T)*;?±)0O 

Proof. We will work out the left part first: 

((?T;?T)*;?±)0O ((?T;?T)*)(?1)0 

So we have ((?T;?T)*)-0 with ijj ~ {11)4). Truth of the former in a random 
model M and for an initial valuation g is defined as follows: 

M hs ((?T;?T)*)V' iff for some h with g[(?T; ?T)lf , A/ \=n i> 

Furthermore we have 

s[(?T; ?T)lf iff .g = or ,[(?T; ?T); (?T; ?T)lf 

We have seen in the previous section how such a formula evaluates; after one 
iteration we will have g|?T; ?T|^-'^, with / = /i, as one of the options the * 
command gives us. Finally we have 

9l?T;?Tir = ,[?Tlf 

iff g = h and M T 

This is always the case, so indeed there is an h such that g[[(?T; lT)*\f^^ (namely 
h = g). Therefore, determining the truth of AI \=g ((?T; YT)*)?/; comes down 
to determining the truth of M \=g i/', which is M \=g 

Since that is exactly the right hand side of the equation we started out with, 
we indeed have that 

((?T;?T)*;?±)0O 

□ 

Not being able to distinguish between looping behavior and abnormal ter- 
mination seems undesirable. It is because of this that I have decided to drop 
the {it)4) formulas and replace it by the weaker, but less problematic formulas 
[v := t]T . Looping behaviour can now no longer be proven to be equivalent 
to abnormal termination. Furthermore, we avoid problems with formulas that 
require infinite evaluations, such as ((?T)*; ?-L)(/). 

Because looping behavior and abnormal termination can no longer be proven 
equal in DLAf , the relational meaning of DLAf-instructions now is an instance 
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of the structural operational semantics we defined for our toy language, with the 
valuations as 'states'. Naturally, this is what we want, since it expresses that 
DLAf is a fully defined system that has the behavior we would expect given our 
toy language. 

This modification also underlines the usefulness of the switch to short-circuit 
versions of the logical connectives (V and its dual In QDL, the steering 
fragment of the program 

IF x:=x + l AND x === 2 THEN a ELSE b 

can be expressed using ?((a; x + l){x ~ 2)). In DLAf such an expression 
now no longer is allowed. However, having J\ and V in DLAf allows us to 
provide a perhaps even more natural translation of this program, namely 7{[x := 
x + l]T J\x = 2). The full evaluation versions of these logical connectives (A and 
V) would not do, because the order of the program instructions is important 
here. As we will see in Chapter 01 we do not need J\ and V in DLAf, but 
the fact they provide natural translations of this kind, together with the fact 
that having logical connectives defined is standard in dynamic logic, is reason 
enough to keep them. 



4 

Terminology 



In this chapter I will present the terminology I will be using in the remainder 
of this thesis. In particular, I will present a more fine-grained breakdown of 
the definitions for formulas, instructions and programs. Furthermore, I will 
introduce a property of formulas called normal form and use that to prove yet 
another property of DLAf regarding complex steering fragments. Next, I will 
introduce a subclass of programs called deterministic programs. Finally, I will 
introduce a property of deterministic programs called canonical form. 

4.1 Formulas, instructions and programs 

In this section I will present the more fine-grained breakdown of the definitions 
for formulas, instructions and programs. 

Definition 2. Formulas can either he primitive or compound formulas. Prim- 
itive formulas are written as ip and defined as follows: 

ipy.^T \ Rti...tn \ti=t2\[v :=t]T 

Compound formulas are written as cj) and defined similarly, but with negation 
and short-circuit disjunction and conjunction as addition: 

::= T I . . . t„ I ti = t2 I -0 I 01 V 02 I 01 ^ 02 I [v := t]T 

Definition 3. Instructions can either be single instructions or basic instruc- 
tions. Single instructions are written as p and defined as follows: 

p {v t) \ lip 

Basic instructions are written as uj and have a little less restrictive definition 
regarding tests: 

w ::— {v :— t) \ ?0 
This means that single instructions form a subset of basic instructions: 
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Definition 4. Programs are written as tt and consist of one or more basic 
instructions joined by either concatenation (;), union or repetition (*): 

TT ::= 137 I TTi; 7r2 I TTl U 7r2 I TT* 

4.2 Normal forms of formulas 

In this section I will introduce a property of formulas called normal form and 
use that to prove a property of DLAf regarding complex steering fragments. I 
will start with the former. 

Definition 5. A formula is said to be in its normal form iff all negations (if 
any) that occur in the formula are on atomic level, that is if the negations only 
have primitive formulas as their argument (i.e. are of the form -".p). 

Proposition 1. Any formula can be rewritten into its normal form such that 
its relational meaning is preserved. 

Proof. Left-sequential versions of Dc Morgan's laws are valid for formulas (we 
come back to this point in Chapter [5]): given model M and initial valuation g 
we prove that 

M <^ <t>2) ^ M hg -01 -02 

For first assume that M \=g 0i, thus M 02 for gl^f {(t>i)lh , thus 

M \=h -02, and thus M -0i V -i02. If M 0i, then M ^g -i0i, and 
thus also M \=g -101 V -102. 

In order to show first assume that A/ ^g -i0i, thus M 0i J\ <j>2, 

thus M ^g -(01 J\ cf>2). If M hs 01, then M -02 for sPf (-0i)]]f , so 
M ^g 01 ^ 02, and thus M ^g -(0i J\ 02). 

The dual statement can also easily be proved. □ 

The set of side effects caused by the evaluation of a formula does not change 
under rewritings of this kind. Using normal forms, we can derive an interesting 
property of DLAf: 

Proposition 2. Let (j) be a formula. The program 7(f> can be rewritten to a form 
in which only primitive formulas or negations thereof occur in tests, such that 
its relational meaning is preserved. 

Proof. Let 0„ be a normal form of and assume 0„ is not a primitive formula 
or the negation thereof. Then, 0„ either is of the form 0i J\ 02 or 0i V 02. For 
conjunctions, it is easy to see that the program ?0 can be rewritten as meant 
in the proposition: 

?(01 J\ 02) = ?0i;?02 

We can assume by induction that 0i and 02 has been rewritten into a form in 
which only primitive formulas and negations occur, too. We now need to prove 
that these programs have the same relational meaning, that is given model M 
and initial valuation g 

^,I?(0i^02)lf iff4?0i;?02r 
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If M Y-g(f>i, then h does not exist in both cases. If, for gfU^ {(f>i)lf , M ^/ 02, 
h does not exist in both cases either. Otherwise, on the left hand side, we get 
h by applying DLAll: 

,[nf(0i^02)lf 

which by definition of the program extraction function, since M \=g 0i , equals 

,inf(0i);nf(02)]f 

On the right hand side, we get h by first applying QDL12, then applying DLAll 
twice and finally applying QDL12 again: 

,[?(/)i;?02]f iff 3/ s.th. 4?0i]f and /[?02]f 

iff 3f s.th. gpf (0i)lf and /pf (02)lf 

iff,[nf(0i);nf(</.2)r 

For disjunctions, the rewritten version is slightly more complex: 

?(0i V02) = ?<^iU?-0i;?02 
We can prove that given model M and initial valuation g 

4?(0lV<^2)lf iff g[?<^lU ;?</>2lf 

in a similar fashion as above. If M 0i, then in both cases h is obtained by 

jnf(0i)lf 

If M then if for gfU^' {(j)i)iy , M ^/ 02, in both cases h does not exist. 

If M 1=/ (j>2, then on the left hand side h is obtained via 

,[nf (01 V 02)lf =, [nf (0i);nf (02)lf 

And on the right hand side, h is obtained by 

,[?-0i;?02lf iff 3/s.th.,[?-0ilf and /[?02lf 

iff 3/s.th.,[nf (0i)lf and /pf (02)r 

iff,[nf(0i);nf(02)lf 



□ 



On a side note, a similar result can be obtained for QDL. Here the program 
?(0i V 02) can be rewritten to 

(?0i; ?02) U (?0i; ?-02) U (?-0i; ?02) 

The differences between the DLAf version of the same rule are there because 
QDL uses full evaluation. Therefore, 02 has to be evaluated even when 0i is 
true, although 02 does not have to be true anymore. 
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4.3 Deterministic programs and canonical forms 

Defining side efi'ects for entire programs can be compUcated. This is because two 
composition operators, namely union and repetition, can be non-deterministic. 
We are, however, not interested in (the side effects of) non-deterministic pro- 
grams, even though they can be expressed in DLAfQ To be exact, we are only 
interested in if . . . then . . . else constructions and while constructions, which in 
DLAf are expressed as follows: 

IF THEN TTi ELSE tts := (?0;7ri) U (?-0;7r2) 
WHILE DO TT := (?0; tt)* ; l^cj) 

To formally specify this, we introduce deterministic programs, which cf. |14[|11| 
are defined as follows: 

Definition 6. A deterministic program dir is a DLAj-program in one of the 
following forms: 

dn ::= vj \ dni; d'!T2 \ (Vc/); dni) U {^-xp; di:2) \ ((?'/'; dir)*] ?^0) 

There are two interesting properties of deterministic programs. The first 
is regarding programs of the form (?0; tt)*; In this case there will only 

ever be exactly one situation in which the program gets evaluated!^ After all, 
there is exactly one repetition loop for which the test ?0 succeeds, but will fail 
the next time it is evaluated. We can formalize this intuition in the following 
proposition: 

Proposition 3. Let dir ~ (7(f); diro)*', be a deterministic program. Let model 
M and initial valuation g be given and let h be the valuation such that gfdTT^f/ . 
There is a unique n £ No such that 

ald^i' *#,[(?0;d7ro)";?-(/)lf 
where (dni)^; diT2 = diT2 and (dTTi)"^"'^; diT2 = dni; (dTTi)"; d7r2. 

Proof. Wc first prove that there is at least one n G Nq for which the above 
equation holds. Assume such an n does not exist. This means that can 
never be evaluated, which is a contradiction with our requirement that there is 
a valuation h such that gl^Tr]^^. 

Next, wc have to prove that there is at most one such n. Let gi be the 
valuation such that g dTTo)'!^^. By writing this out and then applying 
DLAll, wc know that for i < n, wc have Af \^g. ?0. Therefore, for valuation 
gi with i < n we cannot evaluate and thus there is no i < n for which the 
above equivalence holds. 

Wc know that for i = n, wc have M \=^g. 7^(f>. This automatically means 
that for i > n, the above equivalence will not hold cither, since we cannot satisfy 
?(/). Thus, we have exactly one n. □ 

^In fact, as wc already mentioned in Chapter (2] wc can ask ourselves if it is reasonable to 
talk about side effects in non-deterministic programs. We have left this question for future 
work. 

^That is unless we are dealing with an infinite loop, but in that case the program has no 
evaluation and we are not interested in those. 
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The second interesting property of a deterministic program is the following: 

Definition 7. A deterministic program di: is said to be in canonical form if 

only concatenations occur as composition operators. 

This property is going to be very useful, because we can prove that given an 
initial valuation g, any program has a unique canonical form that has the same 
behavior: 

Proposition 4. Let dn be a deterministic program. Let model M and initial 
valuation g be given and let h be the valuation such that gldnjff . There is a 
unique deterministic program dn' in canonical form such that 

gWf ^jJgld^r'lf^' 

and dn' executes the same basic instructions and the same number of basic 
instructions as dn. 

Proof. If dn = (?(/); dni) U (T-i^; dTr2), then dn' depends on the truth of (j>: 

if M 
o.w. 




By induction we can assume that dn'i and dTT2 are the canonical forms of diri 

■J 



and d7T2 (if these are not empty), respectively. The truth of gJcJTr]^^ iff gl^Tr']^^ 



follows directly from QDL13 in this case. 

If dn — (?0; dni)*; wc need to use n as meant in Proposition [3] 

dTf' = {?<j>;dTr'X;?^(l) 

Once again we can assume by induction that dTr[ is the canonical form of diri 
(once again if diTi is not empty). The truth of g[d7r]f iff g[rf7r']f now follows 
directly from Proposition [31 

It is easy to see that in both these cases, dn' executes the same basic instruc- 
tions as dir. It is also easy to see that dir' is unique: we cannot add instructions 
using union or repetition because then dn' will no longer be in canonical form 
and we cannot add instructions using concatenation because those instructions 
will be executed, which violates the requirement that dir' only executes the same 
basic instructions as dir. We cannot alter or remove instructions in dir' either 
because all instructions in dir' get executed, so altering or removing one would 
also violate said requirement. □ 
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The logic of formulas in DLAf 



Now that we have DLAf defined and shown how it works, it is time to examine 
the logic of formulas a little closer. As we have mentioned before, we are making 
use of short-circuit versions of the A and V connectives, i.e. connectives that 
prescribe short-circuit evaluation. In [5] , different flavours of short-circuit logics 
(logics that can be defined by short-circuit evaluation) are identified. In this 
chapter we will give a short overview of these and present the short-circuit logic 
that underlies the formulas in DLAf, which turns out to be repetition-proof 
short-circuit logic (RPSCL). 



5.1 Proposition algebra 

Short-circuit logic can be defined using proposition algebra, an algebra that has 
short-circuit evaluation as its natural semantics. Proposition algebra is intro- 
duced by Bcrgstra and Ponsc in [3] and makes use of Hoare's ternary connective 
X <iy t> z, which is called the conditional [16j . A more common expression for 
this conditional is if y then x else 2, with x, y and z ranging of prepositional 
statements (including propositional variables). Throughout this thesis, we will 
use atom as a shorthand for propositional variable. 

Using a signature which includes this conditional, Ecp — {T,^,_<i_i>_}, the 
following set CP of axioms for proposition algebra can be defined: 

X <iT \>y = X (CPl) 

X < _L > y = y (CP2) 

T<ia;t>_L = a; (CPS) 

x<i{ii<z\>u)\>v — {x <iy\> v) < z\> {x <iu\> v) (CP4) 

In the earlier mentioned paper [4], varieties of so-called valuation algebras are 
defined that serve the interpretation of a logic over Scp by means of short-circuit 
evaluation. The evaluation of the conditional ti < ^2 !> ^3 is then as follows: first 
t2 gets evaluated. That yields either T, in which case the final evaluation result 
is determined by the evaluation of ii, or F, in which case the same goes for t^. 

All varieties mentioned in [4| satisfy the above four axioms. The most dis- 
tinguishing variety is called the variety of free reactive valuations and is ax- 
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iomatized by exactly the four axioms above (further referred to as conditional 
propositions (CP)) and nothing more. The associated valuation congruence is 
called free valuation congruence and written as =/r- Thus, for each pair of 
closed term^ t, t' over Scp, we have 

CPh t = t' t ^fr t' 

Using the conditional, we can define negation (^), Icft-scqucntial conjunction 
and Icft-scqucntial disjunction (V) as follows: 

-la: = _L < a; > T 
xj\y^y<ix>l. 

The above defined connectives arc associative and each other's dual. In CP, 
it is not possible to express the conditional x <iy > z using any set of Boolean 
connectives, such as J\ and V [3]. 

By adding axioms to CP, it can be strengthened. The signature and axioms 
of one such extension are called memorizing CP. We write CP„iem for this 
extension that is obtained by adding the axiom CPmem to CP. This axiom 
expresses that the first evaluation value of y is memorized: 

x<iy>{z<iu>{v<y> w)) = x <iy t> (z <u> w) (CPmem) 

With M = _L and by replacing y by -ly we get the contraction law: 

{w<iy>v)<iyc>x~'w<y>x 

A consequence of contraction is the idempotence of J\. Furthermore, CPmem is 
the least identifying extension of CP for which the conditional can be expressed 
using negation, conjunction and disjunction. To be exact, the following holds 

iu CPmeni- 

x<iy>z^{y^x)'\/ (-ly ^ z) 

We write =mem (memorizing valuation congruence) for the valuation congruence 
axiomatized by CPmem. 

Another extension of CP, the most identifying one distinguised in [4], is de- 
fined by adding both the contraction law and the axiom below, which expresses 
how the order of u and y can be swapped, to CP: 

(x<iyt>z)<u>v~ (x <u> v) <y > (z <iut> v) (CPstat) 

The signature and axioms of this extension, for which we write CPstat; are 
called static CP. We write =stat {static valuation congruence) for the valuation 
congruence axiomatized by CPstat- A consequence in CPstat is v = v < y > v, 
which can be used to derive the commutativity of^/v: x ^ y ^ y j\ x. 

CPstat is the most identifying extension of CP because it is 'equivalent with' 
propositional logic, that is, all tautologies in propositional logic can be proved 
in CPstat using the above translations of its common connectives [5]. 



^Terms that may contain atoms, but not variables. 
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5.2 Short-Circuit Logics 

In this section wc will present the definition of short-circuit logic and its most 
basic form, free short-circuit logic (FSCL). The definitions are given using mod- 
ule algebra [2]. In module algebra, S" □ X is the operation that exports the 
signature 5" from module X while declaring other signature elements hidden. 
Using this operation, short-circuit logics are defined as follows: 

Definition 8. A short-circuit logic is a logic that implies the consequences 
of the module expression 

SCL = {T,-,^} □ (CP 

-I- {^x = _L < x > T) 
+ {x J\y^y<lxt>±)) 

Thus, the conditional composition is declared to be an auxiliary operator. 
In SCL, _L can be used as a shorthand for -iT. After all, we have that 

CP -f (-x = ± <i a; T) h _L = 

With this definition, we can immediately define the most basic short-circuit 
logic we distinguish: 

Definition 9. FSCL (free short-circuit logic) is the short-circuit logic that 
implies no other consequences than those of the module expression SCL. 

Using these definitions we can provide equations that are derivable from 
FSCL. The question whether a finite axiomatization of FSCL with only sequen- 
tial conjunction, negation and T exists, is open, but the following set EqFSCL 
of equations for FSCL is proposed in [5]11 



± = (SCLl) 

X V y = ^{^x J\ -.y) (SCL2) 

-n^x = X (SCL3) 

T ^ a; = a; (SCL4) 

xJ\T = x (SCL5) 

±^x^± (SCL6) 

ixj\y)j\z = xj\iyj\z) (SCL7) 

(x V y) ^ (z ^ ±) = i^x V (z ^ ±)) MyMz^ ±)) (SCL8) 

(x V y) ^ (z V T) = (x ^ (z V T)) V (2/ ^ (z V T)) (SCL9) 

iix^±)'^y)j\z=ix^±)'^j{y^z) (SCLIO) 



Note that equations SCL2 and SCL3 imply a left-sequential version of De Mor- 
gan's laws. 

An important equation that is absent is the following: 

xj\± = l. 



^In [5] it is stated that the authors did not find any equations derivable from FSCL but 
not from EqFSCL. 
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This is what wc would expect, since evaluation of t J\ 1. (with t a closed term) 
can generate a side effect that is absent in the evaluation of ±, although we 
know that evaluation of t ^/V -L always yields F. 

We now have the most basic short-circuit logic and some of its equations 
defined, but of course there also is a "most liberal" short-circuit logic below 
propositional logic. This logic is based on memorizing CP and satisfies idempo- 
tence of J\ (and V), but not its commutativity. It is defined as follows: 

Definition 10. MSCL (memorizing short-circuit logic) is the short-circuit 
logic that implies no other consequences than those of the module expression 

{T,^,J\} □ (CP 

mem 

+ (-iX = ±<iX\>T) 

+ {x ^ y ^ y <x> ±)) 

For the set of axioms EqMSCL, intuitions and an example, and a complete- 
ness proof of MSCL we refer the reader to [5]- Adding the axiom x J\ ^ = 1. 
to MSCL, or equivalently, the axiom _L<ia;>_L = _Lto CPmem, yields so-called 
static short-circuit logic (SSCL), which is equivalent with propositional logic 
(be it in sequential notation and defined by short-circuit evaluation). 

Definition 11. SSCL (static short-circuit logic) is the short-circuit logic 
that implies no other consequences than those of the module expression 

{T,^,J\} □ (CP 

mem 

+ (± <i X t> _L = _L) 
+ (-1X = ±<ixt>T) 
-\- {x ^ y = y <3x> ±)) 



5.3 Repetition-Proof Short-Circuit Logic 

With both the most basic as well as the most liberal short-circuit logic we 
distinguish defined, we can present the variant of short-circuit logic that we are 
interested in because it underlies the logic of formulas in DLAf: repetition-proof 
short-circuit logic (RPSCL). This SCL- variant stems from an axiomatization of 
proposition algebra called repetition-proof CP (CP^p) that is in between CP 
and CPmem and involves explicit reference to a set A of atoms (propositional 
variables). 

The axiom system CP^p is defined as the extension of CP with the following 
two axiom schemes (for a € A), which imply that any subsequent evaluation 
result of an atom a equals the current one: 

(x<3a>y)<lac>z = {x<a>x)<a>z (CPrpl) 
X <ia> {y <la> z) = x<ia>{z<iai>z) (CPrp2) 

We write Eq^p(A) to denote the set of these axioms schemes in the format of 
module algebra. In CP^p the conditional cannot be expressed in terms of -> 
and T: in [3| it is shown that the propositional statement a <b> c (for atoms 
a,b^c £ A) cannot be expressed modulo repetition-proof valuation congruence, 
that is, the valuation congruence axiomatized by CP^p. The definition of RPSCL 
then becomes: 
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Definition 12. RPSCL (repetition-proof short-circuit logic) is the short- 
circuit logic that implies no other consequences than those of the module expres- 
sion 

{J,^,J\,a\aeA} □ (CP + Eq,,p(A) 

+ (-ix = _L < a:; T) 
+ {'X = y<xt> ±)) 

The equations defined by RPSCL include those that are defined by EqFSCL 
as weh as for a E A: 



a ^ (a V x) = 


a^iaVy) 


(RPl) 


a'^/ {a J\ x) = 


{aj\y) 


(RP2) 


[a V -la) J\ X ~ 


{-la ^ a) V X 


(RP3) 


(^a '\/ a) J\ X = 


(a J\ -la) V X 


(RP4) 


{aj\^a)j\x = 


a J\ 


(RP5) 


ha^a) J\x = 


-la ^ a 


(RP6) 


(a; V y) ^ (a ^ ^a) = 


i^x V (a ^ -a)) j\ (y ^ (a ^ ^a)) 


(RP7) 


(a;Vj/)^ (-a^a) = 


(^x V (-a ^ a)) ^ (y ^ (-a ^ a)) 


(RP8) 


{x V y) J\ {aV -^a) = 


{x ^{aV -.a)) (y j\ (a V -.a)) 


(RP9) 


{x V y) J\ i^a V a) = 


(x ^ i^a V a)) (y {^a V a)) 


(RPIO) 


((a^^a) Vzj)^z = 


(a ^ ^a) V (y ^ 


(RPU) 


{haj\a) Vy)^z^ 


(-a ^ a) V (y ^ z) 


(RP12) 



It is an open question whether the equations SCLI-SCLIO and the equation 
schemes RP1-RP12 axiomatize RPSCL, but it will be shown below that RPSCL 
is the logic that models equivalence of formulas in DLAf, where 

{Rti...tn,ti=t2,[v ■.= t]T} 

For this reason, we add the conditional 0i < (/)2 > 4>3 and the constant ± to DLAf 
(thus making V and definable). In order to decide whether different DLAf 
formulas are equivalent, just translate these to CP^p and decide their equivalence 
(either by axiomatic reasoning or by checking their repetition-proof valuation 
congruence). So, we extend the formulas in DLAf in order to characterize the 
logic that models their equivalence. In this extension of DLAf, which wc baptize 
DLCAf (for Dynamic Logic with the Conditional and Assignments as Formulas), 
truth in M relative an initial valuation g for the conditional is defined as follows: 

Afh.(02<0i>^3)ifffor,[nf(0f)r,^^^''^^ (J3LCA) 

This means that we need an extra equation for the program extraction function 
n too which handles the conditional. For model M, initial valuation g and 

^M., fnf (0l);nf (02) ifA/K'/'l 

I n^^(0i);n^^(03) o.w. 
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In the remainder of this section we consider formulas over this signature, thus 
formulas over A composed with _<!_>_. Below we will prove for all mentioned 
axioms that they are valid in DLCAf. 

Proposition 5. Let M be a model for DLCAf. The axiom CPl, that is 

x<iJi>y = x (CPl) 

is valid in M . 

Proof. Let ti , t2 be arbitrary formulas and let g be an initial valuation. Regard- 
less of g, we have M \=gT (by QDL3), so by DLCA, we get M \=g (ti < T > 
iff for gpTljJ-'^, M \=^h ti- Since g = /i, we indeed have that M |=g (ti < T t> 
iffMhgfi. □ 

Proposition 6. Let M he a model for DLCAf. The axiom CP2, that is 

x<i±>y = y (CP2) 

is valid in M . 

Proof. Let ti , ^2 be arbitrary formulas and let g be an initial valuation. _L is a 
shorthand for -iT, so we first need QDL6, which states that M iff not 

M \=g T, which is never the case. So for any initial valuation g, M \=g 1. is 
false. Thus by DLCA, we get M (ii <±i>t2) iff for g[?T|f , M hft ^i- Since 
g = h, we indeed have that M \=g {ti < ±> t-z) iff M ^g t2. □ 

Proposition 7. Let M he a model for DLCAf. The axiom CPS, that is 

T<ixt>^^x (CP3) 

is valid in M . 

Proof. Let t be an arbitrary formula and let g be an initial valuation. If M [^g t 
then by DLCA we get for g[[n*^(i)lf , M T, which also is true, li M t 
then by DLCA we obtain M \=h -L (note that also in this case, h is defined), 
which also is false. Thus M \=g i iff M \=g T < t > _L and hence the axiom CP3 
is valid. □ 

Proposition 8. Let M he a model for DLCAf. The axiom CP4, that is 

x<i{y<iz>v)>u~ {x <iy > u) < z > {x <iv i> u) (CP4) 

is valid in M . 

Proof. Let ii, ^3? ^4? ^5 be arbitrary formulas and let g be an initial valuation. 
We are going to have to show that 

M ti < {t2 <t3> ti) > h iff M {ti <t2> t^) <t3> {ti <ti> is) 

We have to apply DLCA multiple times here. By applying it to the left hand 
side we get for gpf (^2 < ^3 > U^f 



M [=g ti < (^2 <i is > ti) > is iff 



Mh/ii iiM^g{t2<tst>ti) 
M 1=/ is o.w. 
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By applying DLCA again to M |=g (t2 <it3 I>t4) wc get for gfU^ (ta)}^ 
M \=g it2<h>U) iff 



M 1=/' ti o.w. 



So if M \=g ts and A/ t2, we get M |=/ fi. If on the other hand M 
but M \=f> t4, we also get M \=f ti. In all other situations we get M \=f is. 
Let us now consider the right hand side of the equation. Here we get for 



M ^g {ti < i2 > <i ts > {ti <it4> is) iff 



M hh' {ti<t2>t5) if A/ ha ^3 
M \=h' {ti < ^4 > is) o.w. 



Let us first turn our attention to the situation where M \=g t^. We need to 



apply DLCA again and get for h' Pj^f (ia)^*^ 



M h if M hh' t2 
M \=^h ^5 o.w. 



M \=h' {ti<St2>t5) iff 

In the situation where A/ ts, we get for ft/p/l'^ ('•4)lh 
M \=:h' ih<iti>t5) iff 



A/ h/i" h if A/ h/i' t4 
A/ h/i" ^5 o.w. 



So on the right hand side, if M \=g and M \=h' ^2, we get M \=h ti. If 
M V^g H but M \=h' t4, we also get M \=h" ti. In the other situations we get 
either M \=h is or M \=h" is. 

To prove that is the same result as on the left-hand side, we need to prove 
that f = h', f = hUM ^gta, and / = h" if M \=gt3. The last two statements 
seem contradictory, but as we will see / can actually take two different valuations 
depending on the truth of . The mentioned variations arc all determined using 
the program extraction function. To recap, wc have the following: 

4nf(i2^i3>i4)lf 

/.'inilf(t2)r 

We can immediately see that /' = h' . Using the updated definition for the 
program extraction function we get that 



,[nf(i2<i3>i4)lf iff 



nf(i3);n;jf(i2)lf ifA/h.t3 
,inf(i3);nf/(i4)lf o.w. 



Using the new rule for the conditional, we get that: 

,inf(i3);n;jf(i2)lf if A/ t, 
,inf(i3);n;if(i4)lf ifA/^, i3 
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To determine if / = /i, we need to have M [=g and we need to evaluate: 

AK^t^)lh' and H'lK'{t2)li' 
By QDL12, we know that is equivalent to 

So indeed we have that if AI |=g ta, then f = h. Using the same argument, we 
get that if AI t^, then 

Therefore, if AI then / = h" . □ 

With those four axioms proven, we already know for a fact that the logic of 
formulas in DLAf indeed is a short-circuit logic. To prove that it is a repetition- 
free short-circuit logic, we need to prove the axiom schemes CPrpl and CPrp2, 
too. Those axiom schemes make use of atoms a & A. 

Proposition 9. Let AI be a model for DLCAf. The axiom CPrpl, that is 

(x<ia>y)<ia>z = {x<iat>x)<ia>z (CPrpl) 

is valid in AI . 

Proof. Let ti,t2,t3 be arbitrary formulas and g an initial valuation. AI \=g a 
can either be true or false. If it is false, both the left hand side and the right 
hand side, by DLCA, are determined for g|n*^(a)]*^ by AI \=ht3. If it is true, 
the question if AI o, is asked. We have to prove that for every atom a € A, 
the reply to this will be the same as the reply to AI |=g a (namely, true), that 
is: 

AI a iff AI hg a 

Recall that a can be of the forms {Rt[ . . = [v := t']T}. For the first 

two atoms we can immediately see our claim is true, since 11*^ (a) = ?T and 
therefore g = h. For [v :— t']T the claim immediately follows from DLA9: it is, 
regardless of the valuation, always true. □ 

Proposition 10. Let AI be a model for DLCAf. The axiom CPrp2, that is 

x<la>(i/<la>z) ^x<ia>{z<at>z) (CPrp2) 

is valid in AI . 

Proof. This is the symmetric variant of CPrpl and proven similarly. □ 

By proving the validity of these axiom schemes in DLCAf we have proven 
that the equations SCLI-SCLIO together with RP1-RP12 are axioms for for- 
mulas in DLCAf. CP^p indeed is the most identifying extension of CP which is 
valid for formulas. After all, the first more identifying extension we distinguish 
is CPcon {contractive CP) [S], from which amongst others the following weak 
contraction rule can be derived: for a ^ A 

a j\ a ~ a 

Clearly this is not valid for DLAf- formulas such as [x := a; 4- 1]T. 
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6.1 Introduction 

Now that we have defined a system to model program instructions and program 
states, we can return to our original problem: that of formally defining side 
effects. Like I said in Section 12. 1[ the basic idea is that a side effect has oc- 
curred in the execution of a program if there is a difference between the actual 
evaluation and the expected evaluation of a program given an initial valuation. 

We can immediately see however, that we cannot build a definition of side 
effects based on the actual and expected evaluation of an entire program. Such 
a definition will get into trouble when there are multiple side effects, especially 
if those cancel each other out or reinforce each other. Consider for example the 
following program: 

TT = ?([a; := x + 1]T); l{[x -.^ x + 1]T) 

If we are only going to look at the entire program, we will detect one side effect 
here, that has incremented the value of x by two. However, it appears to be 
more acceptable to say that two side effects have occurred, that happen to affect 
the same value. 

It gets even more interesting if there is a formula in between the two clauses 
above and the clauses themself cancel each other out: 

TT = l{[x := X + l\T J\ (j) J\ [x := x ^ 1]T) 

If we again only look at the entire program, we will detect no side effects (unless 
side effects occur in 0). However, because (j) niight use or modify x as well, it 
seems we will have to pay attention to the side effect of the first clause, even 
though it will be cancelled out on by the last clause. 

So instead of building a definition of side effects by looking only at the 
actual and expected evaluation of an entire program, we are going to build it 
up starting at the instruction level. 
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6.2 Side effects in single instructions 

As said, we are going to use a bottom-up approach to define side effects, so 
we will first define side effects for single instructions, then move up to basic 
instructions and end with a full definition of side effects for programs. 

The idea is that the side effect of a single instruction is the difference between 
the actual and expected evaluation of a single instruction. This difference is 
essentially the difference between the resulting valuations after, respectively, 
the actual and expected evaluation of the single instruction. The difference 
between two valuations is defined as follows: 

Definition 13. Given a model M , the difference between valuations g and h 
is defined as those variables that have a different assignment in g and h: 

{x fc') e (5*^((7, h) ijjg{x) ^ fc, h{x) = k' and M ^k = k' 

This notion of difference is not symmetric. 

We already know what the actual evaluation of a single instruction is: for 
this we can use DLAf. This leaves us to define the expected evaluation. For 
this we need to know for each single instruction how we expect it to evaluate, 
that is, what changes we expect it to make to the initial valuation. We have the 
following expectations of each single instruction: 

• Assignments change the initial valuation by updating the variable as- 
signment of the variable under consideration to the (interpretation of the) 
new variable assignment. 

• Tests do not change the initial valuation: they only yield T or F and 
steer the rest of the program accordingly. 

We need the following equations for determining the expected evaluation £ 



of a single instruction: 

M T always (EVl) 

M Rh... t„ iff (I^ilf , . . . , [i„lf ) e R'' (EV2) 

M h = t2 iff {tifg is the same as f^alf (EV3) 

M [v ■■= <]T always (EV4) 

,lv:=tt'^' mh = g[v^ltlf] (EV5) 

g[?^]f^ iff g = /land Mhfv' (EV6) 



Now that we have the actual and the expected evaluation of a single instruc- 
tion, we can define its side effects. As said, this is going to be the difference 
between the two resulting valuations. 

Definition 14. Let p be a single instruction. Let model M be given and let g 
be an initial valuation. Furthermore, let h be a valuation such that g\p\h md let 
h' be a valuation such that g\p\^i . The set of side effects of single instruction p 
given model M and initial valuation g is defined as 



S^\p)^S^\h\h) 
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It is important to note that the valuations h and h' as meant in the above 
definition may not exist. We are not interested in those situations, however. If 
h and h' do exist, they are unique. Also note that 6^ {h' , h) returns the variable 
assignment of valuation h if there is a difference with the variable assignment 
of valuation h' . Thus, the set of side effects is defined as a set containing 
those variables that have a different assignment after the actual and expected 
valuation, with as assignments the ones the variables actually get (that is, the 
assignments they will have after evaluating the single instruction with the actual 
evaluation). 

Wc will illustrate this with two examples. First, consider the single instruc- 
tion p = {x := 1), evaluated under model M in initial valuation g with g{x) = 0. 
We want to know if this causes a side effect, so we need to know the actual eval- 
uation and the expected evaluation. To calculate the actual evaluation, we need 
to know if g|a; := l^ff and if yes, for which valuation h. The equations for DLAf 
immediately give us the answer, in this case via QDLIO; h = g[x plg''^]. So 
we get h{x) = 1. 

Getting the expected evaluation works in a similar fashion, but instead of 
DLAf we now use the equations above to evaluate p. Since the equation for 
evaluating an assignment (EV5) is the same as QDLIO, we now get the exact 
same expected evaluation as the actual evaluation. Thus we get h' = g[x t-^ 
[llf ] and therefore h'{x) = 1. We can immediately see that this results in the 
set of side effects being empty: 

5f (x:= l) = S^'\h',h) = (D 

This is of course what wc would expect: an assignment should not have a side 
effect if it does not occur in a steering fragment. Let us now consider an example 
where we do expect a side effect: namely if an assignment does occur in a steering 
fragment: p = 7{[x := 1]T). We use the same initial valuation g. First we try to 
find the actual evaluation again, which we do by evaluating g[?([a; := l]T)]j^. 
We now need DLAll, which tells us that (in this case) g[?([a; := 1]T)]^'^ iff 
M hs i[x 1]T) and gpf ([a; := l]T)]lf = g|.T := l]lf . Both evaluate to 
true, the latter with h = g[x i~> 1]. 

The expected update once again takes us to the equations above; we need 
to determine h' such that g[?([a; := 1]T)]^/^. For tests, the demands are fairly 
simple: g = h' and M [x := 1]T (see EV6). The latter is by EV4 defined to 
be always true. As a result, we get h'{x) = g{x) = 0. Thus we get the following 
set of side effects: 

S^/{l[x:=l]T) = 6^'^{h\h) 
= {x^l} 

Again, this is exactly what we want: since we expect formulas to only yield true 
or false, the change this formula makes to the program state upon evaluation is 
a side effect. 

6.3 Side effects in basic instructions 

With side effects for single instructions defined, we can move up a step to side 
effects in basic instructions. The difference between single and basic instructions 



40 



CHAPTER 6. A TREATMENT OF SIDE EFFECTS 



is that in basic instructions, complex steering fragments are allowed. This means 
that we are going to have to define how side effects are handled in tests that 
contain a disjunction (V), conjunction (^/X) or negation (-1). The idea is that the 
set of side effects of the whole formula is the union of the sets of side effects of 
its primitive parts. However, we also have to pay attention to the short-circuit 
character of V . Only the primitive formulas that get evaluated can contribute 
to the set of side effects. 

With this in mind, we can give the definition for side effects in (possibly) 
complex steering fragments. Like before, we are only interested in the side 
effects if the test actually succeeds. We need to define this for disjunctions, 
conjuctions and negations: 

Definition 15. Let = V (/)2 be a disjunction. Let model M and initial 
valuation g be given, with M cf) and where </> is in its normal form. Further- 
more, let f be the valuation after evaluation of formula (pi, that is, gl7(f>ijy . 
The set of side effects Sg^ {?(/)) is defined as: 



The case distinction is in place because of the short-circuit character of V . 
For the definition of its dual J\ we do not need this case distinction, because since 
we arc again only interested in the side effects if the (entire) formula succeeds, 
all the formulas in the conjunction have to yield true. Therefore, the definition 
for conjunction is a bit easier: 

Definition 16. Let (j) ~ (pi ^ <j)2 be a conjunction. Let model M and initial 
valuation g be given, with M \=g cp and where (p is in its normal form. Further- 
more, let f be the valuation after evaluation of primitive formula (pi , that is, 
g1^Pi\Y ■ The set of side effects Sg^{l(p) is defined as: 



The recursive definitions for disjunction and conjunction work because even- 
tually, a primitive formula will be encountered, for which the side effects are 
already defined. Unfortunately, we cannot use a similar construction for nega- 
tion. This is because the side effects in a primitive formula are only defined if 
that formula yields true upon evaluation, so we cannot simply treat negation as 
a transparent operator (that is, it is typically not true that Sg^ {^(p) — Sg\(t))). 
So wc will have to define negation the hard way instead. Because we arc using 
formulas in normal form in the other definitions, we only have to define negation 
for primitive formulas: 

Definition 17. Let -lip be a negation. Let model M be given and let g be an 
initial valuation. Furthermore, let h be a valuation such that gl'^~'^ih o,rid let 
h' be a valuation such that gl^~"p1f,i . The set of side effects of basic instruction 
1-iLp given model M and initial valuation g is defined as 



Now that we have a definition for side effects in (complex) steering fragments, 
the extension of our definition of side effects in single instructions to side effects 
in basic instructions is trivial: 




5f (?^)=5f (?,/)i)U5f (?02) 



S^'i7^^)^6''ih',h) 
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Definition 18. Let w be a basic instruction. Let model M and initial valuation 
g be given and let h be a valuation such that gf'^Jff ■ The set of side effects 
{w) is defined as: 

^ ySg^lcf)) if w = 1(f)' and (f) is the normal form of (f)' 

We can illustrate this with a simple, yet interesting example. Consider the 
following basic instruction: w =l{[x := a; + 1]T ^ [x := x — 1]T) with initial 
valuation g such that g{x) — \. In this situation we have two side effects 
that happen to cancel each other out. The resulting valuation after the actual 
evaluation of this basic instruction will be the same as the initial valuation g. 

First we observe that the formula in this basic instruction is in its normal 
form, a trivial observation since no negations occur in it. There are two primitive 
formulas in this conjunction, so the set of side effects is: 

5f := X + 1]T ^ [a; := X - 1]T)) = 5f (?([x := x + 1]T)) U 

S'/^{l{[x:^x^l]-T)) 

Here gi is determined by g|?([a; := x + ^]~^)\g[, so we get 51(2;) — 2. Wc have 
already seen in the previous section how the parts of the union above evaluate, 
so wc get: 

Sl\l{[x := X + 1]T ^ [x := x - 1]T)) ^ {x ^ 2} [J {x ^ 1} 

~ {x ^ 2,x ^ 1} 

So with this definition we have avoided the trap of not detecting any side effects 
when there are two side effects that cancel each other out. Instead we have two 
side effects here, the last of which happens to restore the valuation of x to its 
original one. 



6.4 Side effects in programs 

If we are going to extend our definition to that of side effects in programs, we are 
going to have to define how concatenation, union and repetition are handled. 

Defining side effects for entire programs is more complicated than defining 
side effects for single and basic instructions. This is because two composition 
operators, namely union and repetition, can be non-deterministic. As we have 
mentioned before, however, we are only interested in (the side effects of) deter- 
ministic programs. This leaves us to define how side effects are calculated for 
the composition operators of deterministic programs. For concatenation, this is 
trivial. We once again require that the entire program can be evaluated with 
the given initial valuation. The set of side effects of a program then is the union 
of the side effects in its basic instructions that arc executed given some initial 
valuation: 

Definition 19. Let dir = d'Ki]d'iT2 be a deterministic program. Let model M 
and initial valuation g be given and let h be the valuation such that gl^Tr]^^. 



42 



CHAPTER 6. A TREATMENT OF SIDE EFFECTS 



Furthermore, let f be the valuation such that gldnij^ . The set of side effects 
{dn) is defined by: 

5f (d7r)=5f (d^i)U5f (dTTs) 

This works in a similar fashion as the definition of side effects in complex 
steering fragments. We can return now to our example given in the Introduction 
of this chapter: dn — 7{[x := x + 1]T); ?([a- := x + 1]T). The above definition 
indeed avoids the trap presented there, namely that this program only yields a 
single side effect. To see this, consider initial valuation g such that g{x) = 0. 
We will then get := a; + l]T)|j-'^ and therefore f{x) = 1, so the set of side 

effects becomes: 

S^idn) ^ 5f := X + 1]T)) U 5f := x + 1]T)) 
= {x 1} U {x 2} 
= {x n> 1, x i-> 2} 

Similarly, side effects that cancel each other out, such as in dn ~ 7{[x := x + 
l]T);?([x := X 1]T) will now perfectly be detected, resulting for the same 
initial valuation g in a set of side effects S^' {dn) = {a;i— J-l,a;i-^0}. 

Another interesting observation is that the transformation as defined in 
Proposition [5J which eliminates occurences of J\ and V in steering fragments, 
not only preserves the relational meaning, but also the side effects of such a 
steering fragment. The programs 7{[x := x + 1]T ^ [x -.^ x ^ 1]T) and its 
transformed version ?([a; := x + 1]T); ?([a; := x — 1]T) are an illustration of this: 
we can easily see that both have the same set of side effects. 

With concatenation defined, we can move on to the next composition op- 
erators: union and repetition. For this we can use the property that given an 
initial valuation, every (terminating) deterministic program has a unique canon- 
ical form that executes the same basic instructions (see Proposition!?] in Chapter 
31). This makes the definition of side effects for programs containing a union or 
repetition straight-forward: 

Definition 20. Let dn be a deterministic program. Let model M and initial 
valuation g be given and let h be the valuation such that gfdnj^ff . Furthermore, 
let dn' be the deterministic program in canonical form as meant in Proposition 
The set of side effects Sg^ {dn) is defined by: 

5f (d^)=5f(d7r') 

We can illustrate how this works by returning to our running example, dis- 
cussed in detail in Section 13.21 

X := 1; 

IF {x ■.= x + l ^x = 2) 
THEN y := 1 
ELSE J/ := 2 
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In DLAf, this translates to the following deterministic program dn: 
X := 1; 

{l{[x ■.= x + l]T Jxx = 2)-v:=l) 
U 

(?-([x:=x + l]T^a; = 2);2/:=2) 

We have already seen that for g{x) = g{y) = 0, there is a valuation h such that 
g|(i7r|jj^ (namely h = g[x i-s- 2,y i-> 1]). We can break this program down as 
follows: 



dn : 


:= pi] d-Kl 


Pi ■ 


:= {x := 1) 


d-Ki : 


:= (?0o;P2) U (?-.(?:)o;p3) 


92 ■■ 


{y ■■= 1) 


P3 ■ 


(2/:= 2) 


(t>0 ■ 


:= "fi <^ f2 


"Pi ■ 


■.^ X + 1]T 


<P2 : 


(x - 2) 



We want to know the set of side effects in this program. This is determined as 
follows: 

= 5f(pi)U5f (d^l) 

where we get / by evaluating g\x := 11/^- Thus, / — g[x i-> 1]. We can easily 
see that the first set of side effects Sg\pi) = 0. The interesting part is the 
second set of side effects, since we now have a deterministic program of the 
form diTi = (?0; dTr2) U (T-i^; dn^). Here (j) = 4>o,d'K2 = P2 and ^tts = ps. 

We now have to ask ourselves what the canonical form of di:i given valuation 
/ is. This is determined by the outcome of the test 

?([x:=x + l]T^.T = 2) 

It is easy to see that this yields true. Thus, the canonical form dn' of divi is 

dir' = ?0o;P2 

Therefore according to our definition, for fl^4>oiff' 

5f (dTTl) =5f (d^') 

= 5f (?(/.o;p2) 

= 5f(?(/)o)U5,f(p2) 

We can once again immediately see that the second set of side effects Sff{p2) = 
0. The first set of side effects is determined in a similar fashion as in the example 
in the previous section. In the end, it gives us: 

5f = Sf[l{[x :^ x + l]TJ^{x^ 2))) 

= Sf{l{[x := X + 1]T) U Sy^x = 2))) 
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So we again get a union of two sets of side effects, where we get /' by evaluating 
/|[a; := x+ l]T]^f. Thus, /' = f[x H> 2]. It should be clear by now that the 
first set of side effects contains one side effect, namely {x i— > 2}, whereas the 
latter does not contain any side effects. This gives us as final set of side effects: 

S'/idn) = 5f (pi) U ((5f (?([x := X + l]T) U = 2)))) U 5f (p^)) 

= 0U(({2;h^2}U0)U0) 
= {x ^ 2} 

This is exactly the side effect we have come to expect from our running example. 

We can now move on to an example of side effects in programs containing a 
repetition. Recall that repetition is defined as follows: 

glTT*ji' iSg^hoT gl7r;7T*ji' (QDL14) 

So, TT either gets executed not at all or at least once. The form of programs we 
are interested in is 

dir = (?<?!); 7r)*;?^(/) 

In this case there will only ever be exactly one situation in which the program 
gets evaluated (see Proposition [3] in Chapter!?]). Our definition of canonical 
forms tells us that given an initial valuation g and n as meant in Proposition |31 
the canonical form dir' of di: is 

dn' = (7r^)";?^0 

Using this we get the following set of side effects of a deterministic program of 
the above form: 

5f(d7r)==5f((7r,r;?^0) 

As an example of this, we can return to a slightly modified version of the example 
we gave in Section 13.3.21 

X := 0; 
y :=0; 

WHILE {x:=x + l^x <3) 
DO y:=y + l 

In DLAf, this translates to the following deterministic program dn given model 
M and initial valuation g such that g{x) = g{y) = 0: 

diT = ■.= x + I]T J\{x< 3)); y:=y + f )*; := x + I]T J\ {x < 3)) 

Clearly this is a deterministic program in the form we are interested in and there 
is a valuation h such that g[rf7r]jj^. In this case we have tt^ = := y+1 with 
(p = [x := X + 1]T J\ {x < 3). To get the canonical form dn' of dir, we need to 
find the iteration n for which ?(/> will succeed, but for which the test will not 
succeed another time. This will be for n = 3. After all, after three iterations we 
will have valuation 173 = g[x M- 3, y i-^- 3]. With this valuation, the test l{[x := 



6.5. SIDE EFFECTS OUTSIDE STEERING FRAGMENTS 



45 



x + l]Tj\ {x < 3)) will fail, or to put it formally: M Y=g^ [x := x + l]Tj\ {x < 3). 
This means that we will get the following set of side effects: 

5f(d^)=5f(d7r') 

= 5f K;7r,;^,)U5,Y(?-0) 

^ {x ^ l,x ^ 2,x ^ 3} U {x ^ 4} 

= {cc 1, X t-^ 2, X H- 3, a; 1-^ 4} 

Is this the result we would expect? The answer is yes. It is clear that for each 
time the test is evaluated, a side effect occurs. The test is performed four times: 
three times it succeeds (after which the program executes the body of its loop) 
and the fourth time it fails, but not after updating the valuation of x. The 
program evaluates with as final valuation h = g[x i-^ 4,y i-^ 3]. 

6.5 Side effects outside steering fragments 

The keen observer will have noticed by now that under our current definition, 
side effects can only occur in steering fragments. I have been going through 
quite some trouble, however, to make my definitions of side effects as general 
as possible. Even though in this thesis I am only interested in side effects in 
steering fragments, I am fully aware that views can differ on what the main 
effect and what the side effect of an instruction is. That may either be a matter 
of opinion or a matter of necessity, as in different systems, the same instruction 
may have a side effect in one system and not in the other. 

The way my definitions of side effect^ are built up, one need only change the 
expected evaluation of an instruction in order to change if it is viewed as a side 
effect in a certain context. Consider, for example, the sometimes accepted view 
that an assignment causes a side effect, no matter where it occurs in a program. 
This view is for example expressed by Norrish in [17] . The only change we 
would need to make to our system to incorporate that view is a change to the 
expected evaluation of the assignment, which would then become: 

4«:=t]f^ iSg = h 

The consequence of this in our current setting would be that the expected 
evaluation of every program always has a resulting valuation h that is equal to 
the initial valuation g, since only assignments can make changes to a valuation 
currently and by the above definition we do not expect any assignment to do 
so, wherever it occurs in the program. As a consequence, any change to the 
valuation (caused by the actual evaluation) will automatically be a side effect. 

It is almost as simple to add new instructions to our setting. I definitely do 
not want to claim that the instructions I have defined in DLAf are exhaustive, 
so this need may arise. If we were, for instance, to re-introduce the random 
assignment v := ?, all we would have to do was to define the actual and expected 



^As well as the definitions of classes of side effects presented in Chapter [7] 
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evaluation of this. The actual evaluation is already given by Harel in [14] and 
Van Eijck in [U: 

If we also would want to allow random assignments in tests, we would have 
to add a rule for that as well, similar to the one already in place for normal 
assignments: 

AI b:=?]Tiff,[t-:=?lf 

The definition of the expected evaluation is dictated by what we really expect 
the random assignment to do. This can be the same as what it actually does, 
in which case we have to define the expected evaluation to be the same as the 
actual evaluation above: 

,[«:=?]f^ \S,lv :=?lf 
Af [v:=7]T\S AI hg [v:= 7]T 

If we expect random assignments to do something different, all we have to do 
is define the expected evaluation accordingly. This expected evaluation can 
literally be anything: from simply not updating the valuation at all to always 
setting a completely unrelated variable to 42: 

glv := iS h = g[the answer to life, the universe and everything i— 42] 

On a side note, this example poses some interesting questions about 'negative' 
side effects. Under our current definition, setting the above mentioned variable 
to 42 registers as a side effect, but in a somewhat strange fashion. After all w := ? 
is a single instruction and for and gH^f''^, Sg^ (p) ~ 6{h',h). There 

will actually be two differences between valuations h' and h here: the actual 
evaluation updates variable v, whereas the expected evaluation leaves v alone 
but does update the variable the answer to life, the universe and everything. 
Both variables will show up in the set of side effects, both with the assignment 
the actual evaluation has assigned to them. 

This fails to capture what has actually happened here: after all, not only did 
an unexpected change to the initial valuation happen (a 'regular' side effect), 
but an expected change also did not happen (a 'negative' side effect). At least 
part of the information what should have happened is lost, namely the value the 
variable the answer to life, the universe and everything was supposed to gct0 
It is an open question if we should even allow these somewhat odd situations 
where the actual evaluation does something completely different than we expect, 
thereby generating a negative side effect. We leave this question, as well as the 
question how we should handle these situations if we do choose to allow them, 
for future work. 



^Which is quite a shame, considering the trouble it cost to get it. 
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7.1 Introduction 

In this chapter wc wiU take a closer look at side effects in steering fragments. In 
particular, we will give a classification of side effects. This classification gives 
us a measure of the impact of a side effect. 

As wc have already mentioned in our introduction in Chapter [l] Bergstra has 
given an informal classification of side effects in [T] . Bergstra makes a distinction 
between steering instructions and working instructions. This distinction is based 
on a setting called Program Algebra (PGA). In PGA, there is no distinction 
between formulas and single instructions other than formulas, which is why the 
proposed distinction by Bergstra is meaningful in that setting. Every basic 
instruction a in PGA yields a Boolean reply upon execution and can therefore 
be made into a positive or negative test instruction +a or —a. Naturally, this 
cannot be done in our setting of DLAf, so instead of giving an overview of 
Bergstra's paper, I will just present the major classes of side effects Bergstra 
distinguishes and what they come down to in our setting. 

Bergstra's first class of side effects is what he calls 'trivial side effects'. By 
this he means side effects that can only be found in e.g. consequences for the 
length of the program or its running time. We are usually not interested in 
those kinds of side effects, which is exactly why Bergstra calls them trivial and 
why we would say that no side effects occur at all. An instruction that only 
returns a meaningful Boolean reply (that is, a Boolean reply that may differ 
depending on the valuation the instruction is evaluated in) is an instruction that 
only has trivial side effects. Examples of such instructions arc the comparision 
instructions such as (x = 2) or (x < 2). These instructions can be turned into 
meaningful test instructions by prefixing them with a + or — symbol. We will 
return to this in our explanation of PGA in Chapter [8l In our terms, these 
kinds of instructions can only be formulas, occuring in steering fragments such 
as ?(a; = 2) or ?{x < 2). To be precise, they can only be formulas that have the 
same actual and expected evaluation, and thus no side effects. 

The above described situation, where only trivial side effects occur, is one 
extreme. The other extreme is when an instruction always yields the same 
Boolean reply, regardless of when it is executed. Bergstra says that in that case. 
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only 'trivial Boolean results' occur and that the instruction should be classified 
as a working instruction (that is, a single instruction not being a formula). In 
our setting this is also true with one notable exception: that of assignments. As 
we know, assignments always return true, so their Boolean result is trivial. Still, 
we allow them in formulas, too. If an instruction with trivial Boolean results 
occurs outside a formula, its only relevance would be its effect other than the 
Boolean reply, in which case you can hardly call that effect a side effect. If it 
occurs in a formula, however, the Boolean result — albeit trivial — does have 
relevance, so the effect other than the Boolean reply can indeed be called a side 
effect. This is exactly what happens in our setting. 

What the classification between steering instructions and working instruc- 
tions gives us in the end, is a recommendation on how to use a particular kind of 
instruction. Instructions such as comparision (x < 2), that only give a Boolean 
reply, have no meaning as a working instruction and therefore ideally should only 
occur in steering fragments. Other instructions such as assignment {x := 2) can 
be both steering instructions as well as working instructions and can thus occur 
both inside as well as outside steering fragments. Finally, instructions such as 
writing to the screen (write x) do not return a meaningful Boolean reply and 
should therefore ideally not occur in steering fragments. 

7.2 Marginal side effects 
7.2.1 Introduction 

Having seen the base class of side effects, we can move on to the next level, that 
of marginal side effects. The intuition behind a marginal side effect is fairly 
simple: the side effect of a single instruction is marginal if the remainder of 
the execution of the program is unaffected by the occurrence of the side effect. 
The following program is a typical example of one where a marginal side effect 
occurs: 

diT = diTi] 7{[x :~ X + 1]T); y :— 1 

Here dni can be any (deterministic) program. The side effect occurs in the 
test. However, since the variable x is no longer used in the remainder of the 
program (which only consists of the single instruction y := 1), the remainder of 
the program is unaffected by the occurrence of the side effect. Therefore, this 
side effect is marginal. 

So what if X docs occur in the remainder of the program, for example in this 
program: 

diT = dni ;?([2; := a; + l]T);a; :=a; + l 

This is a typical example of a program in which the occuring side effect is not 
marginal. The reason is that the assignment in the remainder of the program 
{x := a; + 1) has a different effect on the variable x than when it would have 
had if the side effect had not occurred. For instance, for initial valuation g such 
that g{x) = 1 (and assuming x does not occur in tti), the assignment maps x 
to 3. If the side effect had not occurred, it would have had a different effect on 
X (namely, it would have mapped it to 2). 

Another typical example of a program in which an occuring side effect is not 
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marginal is our running example: 

dn = d7ri;?([a; := x + l]T J\ {x ^ 2));y 1 

Here dni can again be any deterministic program and the side effect occurs in 
the same place as in our first example. However, the test is now a complex 
test and in the second part of the test, x is used. Suppose the valuation after 
evaluation of diri is / such that f{x) = 1, f{y) = 2. The second part of the test 
{x = 2) will now give a different reply if a side effect does not occur in the first 
part (or if that side effect would have affected a different variable). As a result, 
the remainder of the program is affected by the side effect: it will be executed 
differently if a side effect occurs. 

Perhaps the answer to the question if the side effect is marginal is less clear 
when the initial valuation in the previous example would not have been g with 
g{x) = 1, but for example with g{x) = 42. It is still the case that the variable x, 
that is affected by a side effect, is used again in the remainder of the program, 
but now it does not change the outcome of the (complex) test. Is that side effect 
still not marginal then? The same question can be posed about the following 
example: 

dTT = d7ri;?([.T := x + l]T);x := 42 

Regardless of initial valuation at the end of this program (assuming diTi 
terminates), x will always be mapped to 42. So is the side effect in the test 
marginal or not? The answer can be found by checking if the remainder of the 
program is executed in the same way, or more formally: if the actual update 
of the remainder of the program is the same regardless of whether a side effect 
has occurred. In both our last examples, the answer to that last question is 
yes. After all, in the first example the test x = 2 will fail whether x has been 
incremented first or not, and in the second example x will always be mapped 
to 42, again regardless of the side effect that incremented x earlier. Therefore, 
the side effects in the discussed instructions arc marginal. 

7.2.2 Marginal side effects in single instructions 

Although the intuition of marginal side effects should be clear enough by now, 
formally defining it is tricky because we have to define precisely what the re- 
mainder of a (deterministic) program dn given a single instruction p and an 
initial valuation g is. Before we can define that, we also need to know the his- 
tory of that same program given single instruction p, which is loosely described 
as those (single or basic) instructions that have already been evaluated when p 
is about to get evaluated. 

In what follows we are going to assume that in a certain deterministic pro- 
gram dn a single instruction p occurs that is causing a side effect. Furthermore, 
we are going to use that given initial valuation g, any deterministic program 
has a unique canonical form that has the same behavior (see Proposition |3] in 
Chapter [5]). Defining the history and remainder of a deterministic program is 
straight-forward if that program is in canonical form. Also, we can actually 
immediately give a more general definition than what we need here, namely 
the history and remainder of a deterministic program given a basic instruction. 
This extra generality will come in handy later on. 
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Definition 21. Let dir he a deterministic program in canonical form. Let model 
M and initial valuation g he given and let h he the valuation such that gl^Trlj^^. 
Letw he a hasic instruction occuring in dn, that is, dw is of the form dni; w\ dir^, 
with diTi and d'K2 being possibly empty deterministic programs in canonical form. 
The history of program dn given hasic instruction zu is defined as: 



The remainder of program dn given basic instruction w is defined as: 



Using Proposition|2]the extension of the definitions of history and remainder 
of a program to aU deterministic programs (not just the ones in canonical form) 
is triviah 

Definition 22. Let dn he a deterministic program. Let model M and initial 
valuation g he given and let h he the valuation such that gldirj^ff . Furthermore, 
let d-n' be the deterministic program in canonical form as meant in Proposition 
The history of program dn given hasic instruction vo is defined as: 



The remainder of program dn given basic instruction w is defined as: 



With definitions for the history and the remainder of a program in hand, 
we can define marginal side effects. According to our intuition, a side effect 
should be marginal if the evaluation of the remainder of the program is the same 
regardless of whether the side effect occurred. We can tell if that is the case by 
evaluating the remainder of the program with two different valuations: one in 
which the single instruction in which the side effect occurs has been evaluated 
using the actual evaluation, and one in which is has been evaluated using the 
expected evaluation^ If the only difference between those two valuations is 
exactly the side effect that occurred in the single instruction, or if there is 
no difference between those two valuations at all, then we can say that the 
evaluation of the remainder of the program has been the same. This is formally 
defined as follows: 

Definition 23. Let dn be a deterministic program. Let model M and initial 
valuation g be given and let hA be the valuation such that gldwjff^ . Let p be a sin- 
gle instruction in program dn causing a side effect, that is, for gl'Hg^{dTT,p)JY, 
{p) 7^ 0- Let fA be the valuation such that /[p]]^^ and let fs be the valuation 
such that /IpIj^'^. The side effect in p is marginal iff for /_4 [7?.g^(d7i', p)]^^ 





'Hf{dTT,Tu)=nf{dTT',m) 



nf{dTT,Vj)^nf{dTT',VD) 



3hE s.th. fAK {d^,p)l 



M,£ 



and 5^\hE, hA) = {Sf{p) or 0) 



^We now need to restrict ourselves again to single instructions because the expected eval- 
uation is (currently) undefined for complex steering fragments. 
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So what happens here exactly? To show this, we return to the examples 
we have given earlier in this section. First, consider the program dn = x := 
1; 7{[x := a;+l]T); y := 1, with initial valuation g such that g{x) = g{y) = 0. We 
can observe that dn is in canonical form. In this program, a side effect occurs 
in the single instruction p = := x + 1]T). So is this side effect marginal or 
not? Here we have the following: 



Hf{d^,p) 


= ix: 


= 1) 


nf{dTT,p) 


= {y- 


= 1) 


f 


= 9[x 




Ia 




^ 2, y ^ 0] 


Je 




i-^- 1, y 1-^ 0] 


Ha 




x^2,y^l] 


He 


= fE[ 


X ^ l,y 1] 



As wc can see, the valuations / and Je are the same. Using our current definition 
of the expected evaluation, this will always be the case, so wc could just use 
valuation / here. However, as I have said in Section 16.51 of Chapter [51 I want 
to keep generality in the definitions of side effects. We might want to change 
the definition of the expected evaluation in the future or add new instructions 
or connectives that do modify the initial valuation. Therefore, wc use valuation 
/e, the resulting valuation after evaluating the single instruction p with the 
expected evaluation. 

To determine if the side effects are marginal, we have to ask ourselves if 

d^'{hE,hA)=Sf{p) or0 

We know how to calculate the set of side effects; it is {x i-^> 2}. In this case, 
S^^ {He, Ha) is {x h> 2} too, so the side effect occurring in p is marginal, which 
is what we want. We can also clearly see in this case that it is no coincidence 
that we are testing 6^^ {He, Ha) and not S'^^ {Ha, fiE): we need the valuation that 
is the result of evaluating the single instruction using the actual evaluation in 
order to properly compare this with the set of side effects. 

Wc can now take a look at an example in which the side effect should not 
be marginal. Consider the program di: = x := 1; 7{[x x + l]T);x := a; + 1, 
with initial valuation g such that g{x) = 0. This program is in canonical form 
too and the side effect occurs in the same single instruction p. This time we get 
the following: 



Hf(d7r,p) 


= (x := 1) 


n^{d7T,p) 


^ {x :~ X + 


f 


= g[x ^ 1] 


fA 


= f[x ^ 2] 


fE 


= f[x ^ 1] 


hA 


^fA[x^i\ 


He 


= fE[x^l] 
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We have the same set of side effects: {x i-^ 2}. However, {hE,hA) now is 
{x I— >■ 3}. Therefore the side effect is not marginal, which is again what we 
would expect. 

We have given a third example which closely resembles the ones we have 
discussed above, namely dir = x := l;?([x := x + l]T);a; := 42. If we take 
the same initial valuation g as above, everything except the remainder of the 
program given p will be the same: 



With this example wc can sec why our definition of marginal side effects allows 
the difference between Ha and hs to be 0, too. We have seen before that in 
situations like these, the side effects should be marginal, and by allowing the 
difference to be 0, that indeed is the case. 

7.2.3 Marginal side effects caused by primitive formulas 

As wc have seen, our current definition of marginal side effects is capable of 
determining whether a side effect occurring in a single instruction is marginal 
or not. We still have to define marginal side effects for basic instructions. In 
particular, we need to have a definition for the situation in which a primitive 
formula in a complex test causes a side effecli and in that same test, the variable 
affected by that side effect is used again, such as in the following program: 
dn = dTTi;7{[x := x + 1]T ^ {x = 2));y := 1. In order to define how to 
determine if a side effect is marginal or not in these situations, we need to extend 
our definitions of the history and remainder of a program such that it not only 
works given a single instruction, but also given a primitive formula. Before we 
can give that definition, we first need to define the history and remainder of a 
compound formula given a primitive formula. We are once again only interested 
in those two concepts if the primitive formula ip gets evaluated. 

To get an idea of what the history and the remainder of a compound formula 
given a primitive formula should be, consider the following example: 



In this example, the history of (/) given cp and given model M and initial valuation 
g is empty. The remainder, however, is not: 



{x := 1) 
{x := 42) 
g[x ^ 1] 
f[x ^ 2] 
f[x ^ 1] 
fA[x^i2] 
fE[x^42] 



f 

fA 

Ie 
Ha 



if ~ [x :~ 6]T 
(j) = ^ipV {x < 10) 
= -^{[x := 6]T) V (x < 10) 



7^g(</),(p) = .T< 10 



^We say that a primitive formula causes a side effect ficre because a side effect cannot occur 
in a primitive formula, ft can, fiowcver, occur in a single or basic instruction wfiicfi tests that 
formula. 
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Notice that this remainder should be empty if -up would have been true. 

The history of a formula of course is not always empty. To illustrate that, 
we will first introduce a notational convention. 

Notation. We will write (j}{ip) to refer to the primitive formula ip occurring in 
formula (p at a specific position. 

As an example of this, compare the formulas 4>i{^p) = if ^ ip and ^2(v) = 
if J\ if. The difference between the formulas (t>i{'p) and ^2(v) is in the instance 
of primitive formula ip we are referring to. 

Let ip = [x := 6\T and (/)(</?) as in the example above. Now consider the 
following example: 

iPip) = {x^2j\ ^{ip)) 

Here the history of "0 given p and given model M and initial valuation g such 
that g{x) = 2 is not empty: 

H'/{tP,^) = {x^2) 

Now that we have given an intuition what the history and remainder of a formula 
given a primitive formula and an initial valuation are going to be, we can move 
on to giving the actual definitions. In what follows we will assume that the 
in 'Hf{(f), ip) is in normal form and that the specific primitive formula p actually 
appears exactly once in formula 0(<p) (although other instances of tp may occur 
in the formula). 4>{ip) can take the following forms: 

-'VM, (f>l{^)'^ (f>2, 01 (?!)2(^), (pi{p) J\ (j)2, (j>l^(f>2{p) 

Here p{p) is the same as ip. For each of these forms, we will have to define how 
the history and the remainder is calculated. 

Definition 24. Let (f> be a formula of one of the above forms. Let model M and 
initial valuation g be given. Let ip be a primitive formula occurring in <f> such 
that ip gets evaluated during the evaluation of (j) given initial valuation g. The 
history of formula (f> given primitive formula p is defined as: 

nf{p(^),p) = T 

Hf(0l(<£)^02,^)=Hf (0l(^),^) 

(01 ^ M^),^p) ^4>iA (02(^),^) 

The remainder of formula given primitive formula ip is defined as: 





7^f(^(^),^) 


= T 






TZ'/{^p{^),^) 


= T 






;0i((£) v 02,^) 




01 (^),^) V 02 




;0i V (f>2{ip),(p) 




02 (^),^) 




;0i(^) </'2,^) 




01 M.^) c/\ 02 


7lf( 


;0i </'2(^),<£) 




02 (^),^) 
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The reason we are only interested in the history and remainder of a primitive 
formula if that formula is actually evaluated, is straight-forward: we use these 
definitions to calculate the side effects caused by that primitive formula and 
those side effects only exist if the primitive formula is evaluated. As straight- 
forward as this is, the restriction is an important one. Because we know that (p 
gets evaluated (not be be confused with 'yielding true'), we do not have to take 
potentially troublesome formulas into account such a.s ± ^ (p. 

The above definitions make the history and remainder of a formula given 
a primitive formula, partial functions. To see in which situations the history 
and remainder are defined and for which they are not, consider the following 
formula: 

(j) = {x^5^[x:^x + 1]T) '^Z [x:^x + 2]T 

Now assume we want to know the history of (jj given ip = [x := x + 1]T . This 
history Hg' {(f>{(p) , (fi) is only defined if [x -.^ x + 1]T gets evaluated, which in 
turn only is the case if we have a initial valuation g such that g{x) = 5. For all 
initial valuations g' such that g{x) ^ 5, the history of given ip is undefined. If 
we would be interested in the history of given tp' = [x := x + 2]T , the situation 
would be reversed: in that case the history Hg^ {4>{p'), p') is only undefined with 
initial valuation g such that g{x) = 5. 

That the history (and the remainder) is undefined in these cases is not 
problematic because as said, we arc going to use these definitions to check if the 
side effects caused by p) are marginal and p) can only cause side effects if it gets 
evaluated. 

Using these definitions, we can move on to define the history and remainder 
of a program given a primitive formula: 

Definition 25. Let dn be a deterministic program in canonical form. Let model 
M and initial valuation g be given and let h be the valuation such that gl^Trlj^^. 
Let ?0 be a test occurring in program dn, where (p is a formula in normal form. 
Finally, let p be a primitive formula occuring in (j) such that p gets evaluated 
during the evaluation of (j) given initial valuation g. The history of program dir 
given primitive formula p is, for gllHg^ [dn , 7(j))^y , defined as: 

Hf{d^,p) - T^f (d7r,?0);?Hf (0(^),<£) 
The remainder of program dn given primitive formula p is defined as: 

nfid-K^p) = iny{ct>{p),p);n'g'{d7r,i<i>) 

The final step is to give a definition to determine if a side effect occurring 
in a primitive formula is marginal. Given the above, this definition should not 
be surprising: 

Definition 26. Let dn be a deterministic program. Let model M and initial 
valuation g be given and let Ha be the valuation such that g\d'K\^^. Let p be 
a primitive formula in program dir causing one of the side effects of dir. Let 
f be the valuation such that glT-L^ {dn , p)^^ . Let fA be the valuation such 

that or /!?-!(/?] and let fs be the valuation such that /|?<(5|^^'^ or 
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The side effect caused by (p is marginal iff for f^pZf {d'K,ip)lff^ 

3hE s.th. /J?7^f (d^,^)lf/ andS''{hE,h) = (5f (?^) or 0) 

To show how this works, we return to the example given in the beginning of 
this section: dir = x := 1; 7{[x := a;+l]T(j^ {x = 2)); y := 1, with initial valuation 
g such that g{x) = g{y) = 0. Here the primitive formula ip ^ [x := x + 1\T 
causes a side effect. We can now use our definition to find out if that side effect 
is marginal. For that, we first need the history of dn given primitive formula ip. 
To calculate Hg^idn, ip), we first observe that cj) is in normal form. This gives us 
a go to use Definition [25l This definition tells us to first calculate valuation /, 
which we get by evaluating gfTig^ {dir, 7(j>)iy . Here ?0 is a basic instruction, so 
we can use Definition[22]to calculate it. We have seen before how that evaluates: 

Hf(d7r,?0) = (x:=l) 

Thus we get gfx := so f = g[x i-^ l,y i-^ 0]. 

All we need to do now to get the history we are looking for, is the history 
of formula (j> given primitive formula (p: 71^ {cf>{(p) , (p) . We can use Definition 
1241 here and are in the situation where (f>{(p) = (j^iiv) cA 02- Here (pi = ip and 
(/)2 = (x = 2), so as history we get: 

= nf{^{^)),^) 

= T 

Thus, the history of program di: given primitive formula </? is: 

(dTT, (^) = (d^, 14>); ?Hf 

= (x:=l);?T 

With the information above we can also immediately calculate the remainder of 
formula (j) given primitive formula ip: 

7^f = Tef ^ 02,^) 
= 7^f ((/.iM,^)^02 
= 7^f (^M,^)^02 

= T ^ (.T = 2) 

Then all we need to determine the remainder of program d-K given primitive 
formula Lp is the remainder of program di: given basic instruction ?0. To see 
how this evaluates, see the previous section. We can use Definition [51] for this 
again and get: 

fA^ f[x^2,y^Q\ 
TZji{dn,^)^iy:^ 1) 

•^This distinction is necessary because we can only evaluate a test if its argument yields 
true. M \=f ip might actually yield false if ip is part of a larger formula rp that despite that 
yields true, such as (/> = (/3 V </>! such that M \=fj^ ipi- Thus, we need either ip or —•(p. 
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So the remainder of program dir given primitive formula (p is: 

n'/idn,^) = nzf{<i>{ip),^y,nf^{d7T,7<f>) 

= ?(T J\ {x = 2)); (y := 1) 

Now that we have the history and the remainder of dn given ip, we can finally 
determine if the side effeet occurring in tp is marginal. To quickly recap, we 
have: 

= (x:=l);?T 
= ?(T^(x = 2));(y:=l) 
= g[x ^ l,y 0] 
= f[x ^2,y^0] 
= f[x ^l,y^O] 

does not exist 

Here we have an example where we do not even have to determine if (5*^ (hE, /ia) 
is the same as iS^(?<p), because there is no valuation He such that 

/J<(rf7r,<^)lf/ 

This is because for valuation /e the test ?(T(/\ {x = 2)) will fail. Therefore, the 
side effect in ip is 'automatically' not marginal, which is indeed what we wanted. 

7.3 Other classes of side effects 

There are two more classes of side effects that I want to discuss. The first is the 
class detectible side effects. According to Bergstra, a side effect in an instruction 
is detectible if the fact that that side effect has occured can be measured by 
means of a steering fragment containing that instruction [T]. This is the most 
general class of side effects: in my terms, any difference between the actual and 
the expected evaluation of a single instruction is a detectible side effect. 

The presence of detectible side effects suggests there are non-detectible side 
effects as well. This can indeed be the case. A side effect is undetectible if the 
evaluation of a (single) instruction causing a side effect would normally change 
the program state, but because of the specific initial valuation, it does not. As 
a simple example, consider the single instruction 7([v :— 1]T). Under any initial 
valuation g this would change the program state and cause a side effect, with 
one exception: namely if g{v) = 1. We can formally define this as follows: 

Definition 27. Let p be a single instruction in model M under initial valuation 
g, updating the valuation of a variable Furthermore, let Sg\p) = 0. p 
contains an undetectible side effect iff for h such that h{v) ^ g(v): 

*In DLAf, this would mean that p either is v := t or l[v := t\T . 



nfidn,^) 

f 

Ja 

fE 

Ha 
He 
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It remains to be seen whether these non-detectible side effects are worth 
our attention. After ah, not being able to detect side effects suggests that the 
presence of the side effects does not make much difference, in any case not to the 
further execution of the program. Possible exceptions to this are the execution 
speed or the efhciency of the program, especially if there are a lot of undetectible 
side effects. 

In contrast to non-detectible side effects, marginal side effects can poten- 
tially be very useful because they can occur far more often. Like non-detectible 
side effects, they are a measure of the impact of a side effect. If a side effect 
is marginal, that means that the rest of the program is unaffected by it and 
therefore, the side effect is essentially pretty harmless. One could at this point 
imagine a claim that a program in which only marginal side effects occur can be 
considered a well-written program, whereas a program in which non-marginal 
side effects occur is one that should probably be rewritten to avoid unexpected 
behavior. We will leave further investigation of this claim for future work, how- 
ever. 
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A case study: Program Algebra 



In Chapter [51 I presented the system I wiU be using for the treatment of side 
effects. In this chapter I will provide a case study to see my system in action. For 
this, we will use Program Algebra (PGA) [S]- Since PGA is a basic framework 
for sequential programming, it provides an ideal case study for our treatment 
of side effects. By showing how side effects are determined in the very general 
setting of PGA, we are essentially showing how they are dealt with on a host of 
different, more specific programming languages. 

I will first summarize PGA and explain how we can use it. Next, some 
extensions necessary for our purpose will be presented. Finally, I will present 
some examples to see in full how my system deals with side effects. 

8.1 Program Algebra 
8.1.1 Basics of PGA 

PGA is built from a set A of basic instructions (not to be confused with the 
DLAf- notion by the same name), which are regarded as indivisible units. Basic 
instructions always provide a Boolean reply, which may be used for program 
control (i.e. in steering fragments). There are two composition constructs: con- 
catenation and repetition. If X and Y are programs, then so is their concatena- 
tion X; Y and its repetition X". PGA has the following primitive instructions: 

• Basic instruction Basic instructions are typically notated as a , b , . . . . As 

said they generate a Boolean value. Especially important for our purpose 
is that their associated behavior may modify a (program) state. 

• Termination instruction This instruction, notated as !, terminates the 
program. 

• Test instruction Test instructions come in two flavours: the positive 
test instruction, notated as +a (where a is a basic instruction), and its 
negative counterpart, —a. For the positive test instruction, a is evaluated 
and if it yields true, all remaining instructions are executed. If it yields 
false, the next instruction is skipped and evaluation continues with the 
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instruction after that. For the negative test instruction, this is the other 
way around. 

• Forward jump instruction A jump instruction, notated as where 
k can be any natural number. This instruction prescribes a jump to k 
instructions from the current one. If fc = 0, the program jumps to the 
same instruction and inaction occurs. If fc = 1, the program jumps to 
the next instruction (so this is essentiahy useless). If fc = 2, the next 
instruction is skipped and the program proceeds with the one after that, 
and so on. 

If two programs execute identical sequences of instructions, instruction se- 
quence congruence holds between them. This can be axiomatized by the follow- 
ing four axioms: 



{X;Yy,Z = X;{Y;Z) (PGAl) 

{X"y = X^ (PGA2) 

X'^;Y = X'^ (PGA3) 

{X;YY = X]{Y;XY (PGA4) 



The first canonical form of a PGA program is then defined to be a PGA program 
which is in one of the following two forms: 

1. X not containing a repetition 

2. X \ y", with both X and Y not containing a repetition 

Any PGA program can be rewritten into a first canonical form using the above 
four equations. The next four axiom schemes for PGA deal with the simplifica- 
tion of chained jumps: 

#n + 1; Mi; . . . ; u„; #0 = #0; Mi; . . . ; u„; #0 (PGA5) 

#n + 1; ui; . . . ; u„; #to = #n -f to -f- 1; mi; . . . ; u„; #m (PGA6) 

(#n + fc + 1; ui; . . . ; u^T = (#fc; «i; . . . ; u„)" (PGA7) 
X = Mi;...;u„;(ui;...;u„+i)'^ 

#7i + ?n + k + 2;X = #n + k+l;X (PGA8) 

Programs are considered to be structurally congruent if they can be proven equal 
using the axioms PGAl-8. 

The second canonical form of a PGA program is defined to be a PGA pro- 
gram in first canonical form for which additionally the following holds: 

1. There are no chained jumps 

2. Counters used for a jump into the repeating part of the expression are as 
short as possible 

Each PGA expression can be rewritten into a shortest structurally equivalent 
second canonical form using the above eight equations [5]. 
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8.1.2 Behavior extraction 

The previous section describes the forms a PGA program can take. In this 
section I will explain the behavioral semantics defined in [3|. The process of 
determining the behavior of a PGA program given its instructions is called 
behavior extraction. The behavioral semantics itself is based on thread algebra, 
TA in short. 

Like PGA, TA has a set A of basic instructions, which in this setting are 
referred to as actions. Furthermore, it has the following two constants and two 
composition mechanisms: 

• Termination This is notated as S (for Stop) and terminates the behavior. 

• Divergent behavior This is notated as D (for Divergence). Divergence 
(or inaction) means there no longer is active behavior. For instance, in- 
finite jump loops cause divergent behavior since the program only makes 
jumps and does not perform any actions. 

• Postconditional composition This is notated as P <! a > Q and means 
that first a is executed; if its reply is true then the behavior proceeds with 
P, otherwise it proceeds with Q. 

• Action prefix This is notated as a o P and is a shorthand for P < a t> P: 
regardless of the reply of a, the behavior will proceed with P. 

As said, behavior extraction determines the behavior of a PGA program 
given its instructions. For that, the behavior extraction operator, notated as 
_|, is defined. If a program ends without an explicit termination instruction, it 
is defined to end in inaction by the following equation: 

|X| = |X;(#0)-| (8.1) 

A termination instruction followed by other instructions ends in termination 
and nothing else, which is defined by the following equation: 

|!;^|-S (8.2) 

Behavior extraction is further defined by the following equations dealing with 
the composition mechanisms: 

|a;A:| = ao |A:| (8.3) 
\+a;u;X\ = \u;X\<a\>\X\ (8.4) 
\-a;u;X\ = \X\-^a\>\u;X\ (8.5) 

The jump instruction requires a set of equations as well. The first equation 
defines that a jump instruction which is jumping to itself leads to inaction. The 
second and third define how a jump instruction can skip subsequent instructions. 



|#0;X| = D 
|#fc + 2;u;X| = |#A; + l;X| 



(8.6) 
(8.7) 
(8.8) 
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8.1.3 Extensions of PGA 

PGA is a most basic framework [TH|. However, there are many extensions that 
introduce more 'advanced' programming features such as goto's and backward 
jump instructions. Via projections, each of these extensions can be projected to 
PGA in such a way that the resulting PGA-program is behavior ally equivalent 
to the original program. Examples of such extensions are PGLB, in which PGA 
is extended with a backward jump instruction (\#fc) and PGLBg, in which 
PGLB is further extended with a label catch instruction (La) and an absolute 
goto instruction (^^La). 

Of particular interest for our purpose is the extension of PGA with the unit 
instruction operator (PGA„), introduced in |18) . The idea of the unit instruction 
operator, notated as u(_), is to wrap a sequence of instructions into a single unit 
of length 1. That way, a more flexible style of PGA-programming is possible. 
In particular, programs of the form 

if a then { 

b , c , d 
} else { 

f, g, h 

> 

now have a more intuitive translation: +a; u(6; c; d; #4; ); /; /iQ Because, 
thanks to the unit instruction operator, the instructions b, c, d and #4 are 
viewed as a single instruction, the execution of those is skipped when a yields 
false. 

8.2 Logical connectives in PGA 
8.2.1 Introduction 

As mentioned in Section 18.11 in PGA a lot of basic notations for assembly- 
like programming languages are defined, especially with its extension with unit 
instruction operators (PGAu) jl8| . However, one important basic notation is 
missing: that of complex tests, of the form if (a and b) then c. As we have 
seen, currently there are positive and negative test instructions in PGA, which 
can only test the Boolean reply of a single instruction. More complex construc- 
tions such as the one in the working example of Section 13.21 are however very 
common in programming practice and also appear in research papers such as 
[T], where they are referred to as complex steering fragments. This means that 
for our purpose, PGA will have to be extended to accommodate for complex 
steering fragments. I will do so below. 

Atomic steering fragments (that is, steering fragments containing only one 
instruction) are already present in PGA in the form of the positive and negative 
test instruction (-(-a and —a respectively). If we were to extend this with com- 
plex steering fragments, an obvious notation would be +4> and The question 
now is what forms (f> can take and what it means to have such a complex test. 

Since the instructions in the steering fragment need to produce a Boolean 
reply, the answer to the question above in my opinion should be that a complex 

^The jump is necessary to prevent the instructions /, g and h from being executed when 
a yields true. 
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test can only be meaningful if all the instructions in the complex test may be 
used to determine the reply. It is not necessary that all instructions are always 
used to determine the reply: for instance when using short-circuit evaluation, in 
some situations not all components of a complex test have to be (and therefore 
are not) used. However, my claim here is that if a certain instruction is never 
necessary to determine the Boolean reply of the whole steering fragment, then 
is should not be in the steering fragment. 

Currently, PGA has two composition constructs (composition and repeti- 
tion). Neither of those define anything, however, about the Boolean value of 
multiple instructions. That is, the Boolean value of (/>;...; "0 and of is un- 
defined. The intuitive way to determine the Boolean reply of a sequence of 
instructions is via logical connections such as And (A) and Or (V). However, 
these are not present yet in PGA. This means that I will have to introduce them 
in an extension of PGAu, which we baptize PGAui. 

Before I do so, however, I need to say something more about the type of 
And and Or I will be using. There are multiple flavours available: 

• Logical And / Or These versions are notated as A and V, respectively. 
They use full evaluation and the order of evaluation is undefined. 

• Short-circuit Left And / Or These versions are the ones we use in DLAf 
(see Chapter (5]) . They are notated as J\ and V . From here on I will refer 
to them as SCLAnd and SCLOr. They use short-circuit evaluation and 
are therefore not commutative. The left conjunct or disjunct is evaluated 
first. There naturally are right-hand versions as well, but I will not be 
using them. 

• Logical Left And / Or These versions arc a combination of the other 
two: they use full evaluation, but the left conjunct or disjunct is evaluated 
first. I will notate this as & and |, respectively and refer to them as LLAnd 
and LLOr. I will not discuss right-hand versions. 

The latter two are interesting for our purpose, because they are very suitable 
to demonstrate side effects. However, since we currently only have SCLAnd 
and SCLOr at our disposal in DLAf, I will concentrate on those connectives. 
Although LLAnd and LLOr can be added to both PGA and DLAf, this would 
raise more questions than it answers, for instance with regard to the logic which 
would then be behind the system, which is why we leave it for future work. 

The above connectives will almost always be used in combination with either 
a positive or a negative test. This will be written as +{a ^ b) (and similar for 
the negative test and the V connective). 

8.2.2 Implementation of SCLAnd and SCLOr 

If I am to introduce the mentioned logical connectives in PGAui, I will have to 
be able to project this extention into PGA. Since the projection of PGA„ to 
PGA is already given in [TH], it is sufficient to project PGAui to PGA„ to show 
that the former can be projected to PGA. Below is a proposal of a projection 
of the SCLAnd {^) connective from PGAui to PGA„, for a,b e A: 



pgaul2pgau(+(a ^ b)) = u(+a; u{+b; #2); #2) 



(8.9) 
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To see why this projection works, consider the following example: suppose we 
have the sequence +</); c; d with (p = a ^ b. This means that if a and b are 
true, c and d will be executed. Otherwise, only d will be executed. In PGAui 
this sequence would be +(a ^ b);c;d. The projection to PGA„ would then be 
u(+a;u(+6; #2); #2); c; d. If a is false, the execution skips the unit and executes 
the jump instruction, ending up executing d. If a is true, the unit is entered, 
starting with the test b. If b is false, the execution again arrives at the same 
jump as before, skipping c and executing d. If b is true, a different jump is 
executed which makes the program jump to c first and only then moves on to 
d, which is exactly the desired behaviour. 

The entire projection is wrapped in a unit because, as we will see later, the 
SCLAnd and other operators we define here also are to be considered units. 
Therefore, a program sequence prior to (or after) the operators discussed here 
cannot jump into the execution of that operator. By wrapping the projection 
into a unit I ensure that cannot happen after the projection either. 

For the SCLOr connective, the projection is a little easier. It looks like this, 
again for a,b € A: 

pgaul2pgau(+(a V b)) = u(-a; +b) (8.10) 

To see why this projection works, consider the same example as above: +</>; c; d, 
but now with (/) = 6. So, if a and / or 6 are true, c and d should be executed. 
If they are both false, only d should be executed. In PGAui this looks like this: 
+(a V 6); c; d. The projection to PGAt, then is u(— a; +b);c; d. So, if a is true, 
execution skips testing b and moves on directly to c. If a is false, b is tested 
first. If b is also false, execution skips c and d is executed. If b is true, c gets 
executed first: exactly the desired behaviour. 

So far, we have only been considering programs of the form +</>; c; d, that 
is, with a positive test. Of course, we also have the negative test instruction. 
For a negative test, the projection of SCLAnd resembles that of SCLOr. This 
comes as no surprise since SCLAnd and SCLOr are each other's dual. It looks 
like this, again for a, 6 S ^: 

pgaul2pgau(-(a J\ b)) = u(+a; -6) (8.11) 

The projection of V for a negative test resembles the projection of J\ for a 
positive test: 

pgaul2pgau(-(a V b)) = u(-a; u{-b; #2); #2) (8.12) 
8.2.3 Complex Steering Fragments 

The implementations in the previous section work for steering fragments con- 
taining a single logical connective (that is, with disjuncts or conjuncts a,b £ A). 
However, we also need to define what happens for larger complex steering frag- 
ments (for instance a J\ (6 V c)). In order to accommodate this, we need one 
more property for the J\ and V operators in PGA: they have to be treated as 
units. If we do this, we can give a recursive definition for the projection, with 
as base cases the ones given in the previous sections. 

In what follows, the formulas and (/)2 can take the following form: 



(8.13) 
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As we can see, this includes negation. For more on negation, see the next 
section. We get the following projections: 

pgaul2pgau(+((/)i ^ ^a)) = u(pgaul2pgau(+(/)i); u(pgaul2pgau(+02); #2); #2) 
pgaul2pgau(+((/)i V 02)) = u(pgaul2pgau(-(/)i); pgaul2pgau(+(/)2)) 
pgaul2pgau(-((/«i J\ (f>2)) = u(pgaul2pgau(+0i); pgaul2pgau(-</)2)) 
pgaul2pgau(-((^i V ^2)) = u(pgaul2pgau(-0i); u(pgaul2pgau(-(?:)2); #2); #2) 

This works as follows. Consider the example +(/>; d; !, with (f) ~ a J\ {b J\ c). 
In PGAui this would be written as: 

+ {a^{b^c));d;\ (8.14) 

We can use our new recursive definition of J\ and get: 

pgaul2pgau(+(a J\ {b J\ c));d; !) = u(pgaul2pgau(+a); 

u(pgaul2pgau(+(6^c));#2); 
#2);d;! 

The projections left now are base cases of +a and +{b J\ c), respectively. Thus, 
we get 

pgaul2pgau(+(a J\ {b ^ c)); d;\) = u(pgaul2pgau(+a); 

u(pgaul2pgau(+(&^c));#2); 
#2);d;! 
= u( + a; 

u(u(+6;u(+c; #2); #2); #2); 
#2);d;! 

An interesting question is whether these projections make J\ an associative 
operator. To find out, we compare the above with the example +0; d; ! where 
this time cj) = (a J\ b) J\ c. We get: 

pgaul2pgau(+((a ^ b) ^ c);d; !) = u(pgaul2pgau(+(a ^ 6)); 

u(pgaul2pgau(+c); #2); 
#2);d;! 
= u(u(+a;u(+6;#2);#2); 
u(+c;#2); 
#2);d;! 

We can use behavior extraction to check if these programs are behavioral equiv- 
alent. It turns out that both programs indeed have the same behavior: 

{{doS ^c>S)<bl>S)<a>S 

Thus, we can conclude that J\ is associative in PGAui, as we would expect given 
SCL7. We can analyze V in a similar manner. 
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8.2.4 Negation 

Now that we have the projections for positive and negative tests defined, we can 
turn our attention to one more operator that is common both in programming 
practice and in logic: negation. In PGA, negation is absent, so we need to define 
it here. Not ah instructions or sequences of instructions can be negated: after 
all, there is no intuition for the meaning of the negation of a certain behavior. 
We can, however, negate basic instructions: by this we mean its Boolean reply 
changes value. Sequences of instructions consisting of the operators I have 
defined above can be negated as well, which I will write as First, I define 
the following standard projection rules: 

+ (-0) - -((> (8.15) 
-(-0) = +(b (8.16) 
= (j) (8.17) 

Now that wc have this, we need to take a look at how negation interacts with 
the J\ and V connectives. In particular, we are interested in what happens if 
one or both of the instructions in such a connective are negated. For this, the 
Dc Morgan's laws will come in handy: 

-(</)! ^ (f>2) = ^^1 V -02 (8.18) 
-(</>! V <j>2) = ^^1 ^ (8.19) 

With the above equations in combination with the equations 18. 15118.171 we al- 
ready have the projections for two possible cases (namely when no instructions 
are negated and when both instructions are negated). That leaves us two other 
cases for both J\ and V: one in which the first instruction is negated, and one 
in which the other is. Below arc the projections of these cases: 

pgaul2pgau(+(-.(/)i ^ 02)) = pgaul2pgau(-(0i V -.^2)) 

= u(pgaul2pgau(+(/)i); #3; pgaul2pgau(+02)) 

(8.20) 

pgaul2pgau(+(0i J\ -■02)) = pgaul2pgau(-(-.0i V ^2)) 

= u(pgaul2pgau(-0i); #3; pgaul2pgau(-02)) 

(8.21) 

pgaul2pgau(+(-'(?!)i V ^2)) pgaul2pgau(-(0i ^ -.02)) 

= u(pgaul2pgau(-0i); #2; pgaul2pgau(+02)) 

(8.22) 

pgaul2pgau(+(0i V -.02)) = pgaul2pgau(-(-.0i J\ 02)) 

= u(pgaul2pgau(+0i); #2; pgaul2pgau(-02)) 

(8.23) 

For more on the J\ and V connectives and the rules that apply to them, see 
the paper by Bergstra and Ponse on short-circuit logic [5] as well as Chapter [S] 

8.2.5 Other instructions 

In the previous subsections we have seen what the projections of the new logical 
connectives in PGAui to PGAu look like. To complete the list of projections. 



8.3. DETECTING SIDE EFFECTS IN PGA 



67 



we have to define the projections for the 'regular' instructions, as well as how 
concatenation and repetition are projected. This is trivial, since these 'regular' 
instructions are the same in PGAui and PGAu. We get for a € ^ and PGAui- 
programs X, Y 

pgaul2pgau(a) = a 
pgaul2pgau(+a) = +a 
pgaul2pgau(— a) = ~a 

pgaul2pgau(!) ~ ! 
pgaul2pgau(#A:) #fc 
pgaul2pgau(X; y) ^ pgaul2pgau(X); pgaul2pgau(y) 

pgaul2pgau(X'^) = (pgaul2pgau(X))" 
pgaul2pgau(u(Ar)) = u(pgaul2pgau(Ar)) 



8.3 Detecting side effects in PGA 

In this section I will show how to detect side effects in a PGAui program using 
our treatment of side effects. In essence, all we have to do is translate the PGAui 
program to an equivalent DLAf-program, which can then be used to determine 
the side effects that occur. 

To recap, wc have the following operators in PGAui that have to be trans- 
lated: 

• Concatenation (AT; y) 

• Repetition {X'^) 

• Unit instruction operator (u(_)) 

• Termination (!) 

• Positive and negative tests {+(f>, —(f) 

• Only in tests: conjunction, disjunction and negation (01 ^ 4>2,4>i ^ 4>2, ~'<t') 

There are two notable differences between PGAui and DLAf. The first is that in 
PGAui a program unsuccessfully terminates unless explicitly instructed other- 
wise by the termination instruction, whereas in DLAf the default is a successful 
termination. This is an issue that has to be addressed to properly translate 
PGAui to DLAf and the best way to do this, is to add the termination instruc- 
tion to DLAf. This illustrates the point I made in Section 16.51 in Chapter [HI 
the instructions I defined so far in DLAf are by no means exhaustive and new 
instructions may have to be added to them. This can usually be done by simply 
defining the actual and expected evaluation of the new instruction. 

The nature of the termination instruction requires us to do a little more 
than just that. After all, the termination instruction has a control element to 
it: just like for instance the test instruction it has an influence on which instruc- 
tions are to be evaluated next. To be exact, no instructions are to be evaluated 
next when a termination instruction is encountered during evaluation of a pro- 
gram. Because of this, wc have to slightly modify the concatenation operator 
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in DLAf too when we introduce the termination instruction. We baptize the 
extension of DLAf with the termination instruction DLTAf (for Dynamic Logic 
with Termination and Assignment in Formulas). 

The equation for the relational meaning of ! in a given model M and ini- 
tial valuation g is straight-forward. Execution simply finishes with the same 
resulting valuation as the initial valuation: 

iff .9-/1 (DLTA15) 

The updated rule for concatenation has to express that when a termination 
instruction is encountered, nothing should be evaluated afterwards. We use a 
case distinction for this on the first instruction of a concatenation: 

[3f s.th. glujjf and fldTrf^' o.w. 

We only define the termination instruction in the setting of deterministic pro- 
grams here. This is sufficient because this is the only setting we are currently 
interested in. DLTA12 replaces QDL12, but keeps the associative character of 
concatenation intact: 

g|(d7ro;d7ri);rf7r2]l^^ = g[d7ro; (dTTi; dTra)!^ 

The addition of the termination instruction allows us to easily express PGAui- 
programs such as +a; !; & in DLTAf. They would otherwise have caused a prob- 
lem because there would have been no easy way to stop the evaluation of the 
program from continuing to evaluating 6, which it of course is not supposed to 
do if a yields true. 

The other notable difference between PGAui and DLAf is that in the former, 
anything can be used as a basic instruction. That includes what we refer to in 
DLAf as primitive formulas such as a; < 2 or ti = <2- In PGA the execution of 
an instruction always succeeds, even if the Boolean reply that it generates, is 
false. To model this in DLTAf, we have to add the primitive formulas cp to the 
set of instructions, as follows: 

TT ::= (y9 I ! I u := t I ?0 I TTi; 7r2 I TTi U 7r2 I TT* 

The relational meaning in M given initial valuation g for these new instructions 
is simply that they always succeed without modifying g: 

gMi' iSg = h 

With the termination instruction and the formulas-as-instructions defined, 
we can take a first look at the mapping from PGAui to DLTAf. For this we 
define a translation function ft : PGAui— DLTAf. We define this translation 
function for PGA programs in first or second canonical form only; this is suf- 
ficient because as we have seen, every PGA program can be rewritten to first 
and second canonical form. 

First, we define the set A of basic instructions in PGA to be equal to the 
set of primitive formulas and single instructions, not being tests, in DLAf: 



A::^^\p- 
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where p~ denotes the set of single instructions not being tests. In DLAf, this 
set only consists of the assignment instruction v :^ t. 

For finite sequences of instructions with length n = 1, a, G A and k E Nq, 
and (j) a formula as meant in section 15.2.31 ft is defined as follows: 

/t(-0) = ?-0;?± 
/t(#fc) = ?± 

/*(!) = ! 

/t(u(ai; . . . ;afc)) = /t(ai; . . . ;afc) 

Here we can clearly see what effect it has that PGAui has unsuccessful termina- 
tion as its default. We have to explicitly introduce unsuccessful termination in 
DLTAf by adding ?_L (a test that always fails) at the end of every instruction. 
Furthermore, notice the unit instruction operator that here has length n ~ I, 
but is transparent when it has to be translated and thus becomes a sequence of 
instructions with length k that is potentially larger than 1. Finally, notice that 
there is no need to translate possibly compound formulas cf). This is because 
formulas have the exact same syntax in PGAui and DLTAf. 

Next, we can show the definition of ft for finite sequences of instructions 
with length n = m + 1. For a, 6i, . . . , G A, fc £ No and cf) a formula as meant 
in section [8.2.31 we have 

/t(a; 6i; . . . ; 6™) = a; ft(bi; ...;bm) 

r(?0;/t(5i))U ?±) ifm=l 

= <^ (?0; . . . ; 6,„)) U 

[ (?-'/';/t(^2;-.-;fcm)) o.w. 

r(?0;?±)U(?-0;/t(6i)) ifm=l 
= <j (?0; /t(52; . . . ; 6„,)) U 

.■,b,n)) O.W. 

/t(#0;6i;. 



A(#(2+fc);6i;. 




if fc + 2 < m 
o.w. 



/t(u(ai; . . . ; a^); 6i; . . . ; 6™) = /t(ai; . . . ; afe; 6i; . . . ; bm) 

With the above translation rules, we can now translate finite PGAui-programs 
to their DLTAf- versions. A complete translation would require a translation of 
repetition as well. This, however, is quite a complex task. The reason for that 
becomes clear when considering examples like these: 

(a;6;+c)" 

(+a;+6;+c)" 
(a;+6;#5;c; +6?;)" 
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Because of the behavior of +c, we get into trouble here if we attempt to use 
the regular translation. The problem is that +c can possibly skip the first 
instruction of the next repetition loop, which is behavior that is hard to translate 
without explicitly introducing this variant of repetition C^) in DLAf. The same 
problem arises with the jump instruction. At first glance, the best solution 
there is to introduce the jump instruction to DLAf as well. In that case the 
second canonical form of PGA-programs comes in handy, as it is designed to 
manipulate expressions with repetition such that no infinite jumps occur. 

Since this case study is meant as a relatively clear example of how to use 
DLAf to model side effects in other systems such as PGA, it is beyond our in- 
terest here to present these rather complex translations of repetition. Instead, 
we restrict ourselves to finite PGAui-programs and leave the relational seman- 
tics for DLAf which models side effects, as the basis for future work on PGA 
involving repetition. 



8.4 A working example 

In this section I will present a working example of the translation from finite 
PGAui-programs, which we write as PGA|j", to DLTAf. In addition, I will show 
that we get sufficiently similar results if we first translate PGAf^ to DLTAf 
compared to first projecting PGAjJ" to PGAj]" and then translating that to 
DLTAf. To be exact, we are going to show that the following diagram defines a 
program transformation E on finite deterministic programs in DLTAf: 



ft 



PGA^J^ — ^ DLTAf 



pgaul2pgau 



PGAf!" — DLTAf 
ft 



Here E is a. reduction function on DLTAf that yields deterministic DLTAf- 
programs where occurrences of ^ and V have been eliminated. 

For the working example, we return to a variant of our running example. 
Consider the PGA^f -program 

X = +{[x ■-x + l]T ^x = 2); u{w[x = 2]; l);w[x 7^ 2]; ! 

where w[...] suggests a write command. This is a program of the form 

+ (6^c);u(d;!);e;! 

with b = [x := .t-|-1]T, c= {x = 2),d = w{x = 2] and e = w[x ^ 2]. Thus, we get 
the following translation, where we for clarity have underlined the instruction 
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that wc arc going to translate next: 
/t( +(b^c) ;u(d;!);e;!) = 

(?(& J^ c); /«( u(d;!) ; e; !)) U ^ c); /t(e; !)) = 

(?(& <A c); !; e; !)) U (?-(& ^ c); /^(e; !)) = 
(?(& ^ c); d; /t (!; e; !)) U (?-(& ^ c); /^(e; !)) = 
(?(&^c);d;!)U(?-(6^c);/t(e;!)) = 
(?(&^c);d;!)U(?-(fo^c);e; /*(!)) = 
(?(fe^c);d;!)U(?-(6^c);e;!) 

So there we have it: if we replace the shorthands with their original instructions 
or formulas again, we get the following DLTAf-program. which wc baptize dnuf. 

dTT^i = {7{[x ■.^x + 1]T ^ (x = 2)); w[x = 2]; !) 

U 

{7^{[x := X + 1]T J\{x = 2)); w[x ^ 2]; !) 

Clearly, given model Af, g[/t(X)]lf implies that h ^ g[x ^ g{x) + 1]. So, 
if 5(2;) = 1, the instruction w[x = 2] is executed, after which the program 
terminates, while for g{x) 7^ 1, the instruction w[x ^ 2] is executed after which 
the program terminates. 

Now let Y = pgaul2pgau(X), so 

r = u( + {[x := X- + 1]T); u(+(x = 2); #2); #2); u(«;[x = 2]; !); w[x + 2]; ! 
Wc compute 

h{Y) = := X + 1]T); u(+(x = 2); #2); #2; xx(w{x = 2]; !); w{x ^ 2]; !) 

= (?([x := X + 1]T); /t(+(x = 2); #2; #2; u(u;[x = 2]; !); «;[x ^ 2]; !)) 

U 

(?-([x := X + 1]T); /t(#2: u(«;[x = 2]; !); «;[x ^ 2]; !)) 

= (?([x:=x + l]T); ( 

(?(x = 2); /,(#2; #2; u(u;[x = 2]; ^)^w\x ^ 2]; !)) 
U 

(?-(x = 2); /i(#2; v.{w\x = 2]; !); «;[x ^ 2]; !)) 
) 

) 

U 

(?-([x:=x + l]T);u;[x7^2];!) 

= (?([x :=x + l]T); ( 

(?(x = 2);w;[x = 2];!) 
U 

(?-(x = 2);«;[x^2];!) 
) 

) 

U 

(?-([x:=x + l]T);u;[x^2];!) 
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Note that for each model M and initial valuation g, M '^g ^{[x x + 1]T), so 

iff,[?([x:=a: + l]T); ( 

{l{x^2)-w[x^2]-\) 
U 

(?-(x- = 2);«;[x#2];!) 
Thus, writing c?7r„ for the rightmost deterministic DLTAf-program, we find 

We now need to ask ourselves if d7r„ is 'sufficiently similar' to the earlier derived 
diZui- Intuitively, we would say that in this working example, this indeed is 
the case. After all, [x := x + 1]T always yields true, so the truth of \x := 
X + 1]T ^ {x = 2) depends solely on the Boolean reply that x = 2 yields. It 
therefore does not matter if we lift 7[x x + 1]T out of the union, which is 
essentially what we have done in the case of c?7r„ . 

We can call two programs 'sufficiently similar' if they evaluate the same 
single instructions, not being tests, or primitive formulas in the same order. We 
can formalize that notion with the following proposition: 

Proposition 11. Let X be a program in PGA^ , let dnui — ft{X) and let duu = 
/f (pgaul2pgau(A")). Let model M he given and let g be an initial valuation such 
that there exists a valuation h such that gfdTTui^ff ■ Then 

and the same single instructions, not being tests, and primitive formulas are 
evaluated in the same order during evaluation of di^ui and dn^ given g. 

As said, we do not consider repetition as program constructor in our case 
study. Furthermore, our model of side effects is limited to terminating programs, 
as opposed to programs that can either end in termination or in divergence. A 
proof of this proposition might be found, but is for these reasons perhaps not 
very much to the point. In Chapter IH] (Conclusions) we return to this issue. 

It is, however, worthwhile to check the proposition for our working example. 
Recall that we have the following diTui and c?7r„: 

dn^i = (?([x- x + 1]T ^ (x = 2));w[x = 2]; !) 
U 

{7^i[x:=x + l]T J\{x = 2));w[x^2];\) 
d^u = :=2; + l]T); 

(?(x = 2);«;[.T = 2];!) 

U 

(?-(a; = 2);ti;[a;^2];!) 

It is not hard to check in this case that for any model M and initial valuation 
g such that d^ui can be evaluated, gl'^'i'ii;!;^ iff g[(i7r„]^-'^. It is also easy to 
see that the same single instructions, not being tests, and primitive formulas 
are evaluated (in the same order). After all, d-Kui, first evaluates the primitive 
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formulas [x a; + 1]T and x = 2 and uses those to determine the reply of 
[x := X + 1]T J\ {x = 2). Depending on the reply, it then either evaluates the 
single instructions w[x — 2] and I, oi w[x ^ 2] and !. 

Almost the same goes for d7r„. It first evaluates the primitive formula 
[x := X + 1]T and depending on the reply (which happens to be always true), 
either stops evaluation (which therefore is never the case) or continues with the 
evaluation of primitive formula x = 2. Depending on the reply, it like diTui then 
either evaluates the single instructions ^[x = 2] and !, or u;[a; 2] and !. So at 
least in our working example. Proposition [TT1 holds. 

In a similar way, we can analyze the PGAj|"-program 



+ {^[x ■.= x + 1]T V x^ 2);u{w[x = 2]; l);w[x ^ 2]; ! 



We can compute diTui — ft{X): 



MX) = ft{+Hx := X + 1]T V X = 2); uiw[x = 2]; !); w[x ^2];l) 

= (?(-[x := X + 1]T Vx^ 2); Mu{w[x = 2]; !); w[x ^ 2]; !) 
U 

(?-(-[.T ■.= x + 1]T V .T = 2); ftiw[x + 2]; !)) 

= (?(-[x X + 1]T V x- = 2); !t(w\x = 2]; !; w\x ^ 2]; !) 

U 

(?-(-[x := x + 1]T V .T = 2)-w{x + 2]; /*(!)) 

= (?(-[x X + 1]T V x- = 2)-w\x = 2]; /^(l; w\x ^ 2]; !) 
U 

{l^{-\x a; + 1]T V .t = 2); + 2]; !) 

= (?(^[2;:=x + l]T'Va; = 2);w[x==2];!) 
U 

(3^{-\x := a- + 1]T V X = 2); u;[x 7^ 2]; !) 



We once again define Y — pgaul2pgau(X), so 



r = u( - ([x := X + 1]T); #2; +(x = 2)); u(«;[x = 2]; !); w{x # 2]; ! 
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Wc compute 

MY) = ft{-{[x ■.= x + 1]T); #2; +(x = 2); u{w[x = 2]; l);w[x ^ 2]; !) 

= i7H[x ■.^x + 1]T)); A(#2; +(x = 2); u(u;[a; = 2]; \y,w[x ^ 2]; !) 
U 

.T + 1]T)); fti+i'x = 2); u(u;[a; - 2]; !); ^ 2]; !) 

= {7i^{[x := .T + 1]T)); ftiu{w[x = 2]; !); w[x + 2]; !) 

U 

(?-(-[x:=x + l]T); ( 

(?(x = 2);,^(^i;[x = 2];!;u;[x^2];!)) 
U 

(?-(x = 2);/t(u;[x^2];!)) 
) 

= (?h([x:-a. + l]T));u;[a; = 2];!) 
U 

(?^(^([x:=x + l]T)); ( 

(?(x = 2);z«[a:-2];!) 

U 

(?-(x = 2);u;[x^2];!) 
) 

We can directly eliminate a situation: -^(\x x + 1]T) is false for any initial 
valuation g. Thus, writing ff7r„ for the second part of the topmost union: 

d^u^ :=a; + l]T)); ( 

(?(a; = 2);u.[x = 2];!) 
U 

(?-(a; = 2);u;[2;^2];!) 
) 

we get given model M for any initial valuation g 

Wc can check in similar fashion as before that Proposition [TT] holds (for any 
initial valuation g). We can conclude that at least for these working examples, 
the mentioned proposition is valid. As said, we leave the proof for future work. 

This case study started from the abstract approach to attempt decomposi- 
tion of complex steering fragments in instruction sequences in PGA^f as ad- 
vocated in [5]. We show that we can apply this approach to a rather concrete 
instance in imperative programming (namely the set A of basic instructions 
given in this chapter) and we obtain some interesting results. In the first place, 
it inspired our definition of DLTAf and the analysis and classification of side 
effects as discussed in this thesis. Secondly, by the preservation property for- 
mulated in Proposition 111! it justifies our proposal for the projection function 
pgaul2pgau. It is an interesting result that wc are able to show that the pro- 
jection pgaul2pgau, which does not have to anything to do with valuations, 
preserves the relational semantics (and therefore side effects) of a program via 
the diagram at the beginning of this section, which is based on a very natural 
translation. 



9 



Conclusions and future work 



In this thesis I have given a formal definition of side effects. I have done so 
by modifying a system for modehing program instructions and program states, 
Quantified Dynamic Logic, to a system caUed DLAf (Dynamic Logic with As- 
signments as Formulas) , which in contrast to QDL allows assignments in formu- 
las and makes use of short-circuit evaluation. I have shown the underlying logic 
in those formulas to be a variant of short-circuit logic called repetition-proof 
short-circuit logic. 

Using DLAf I have defined the actual and the expected evaluation of a single 
instruction. The side effects are then defined to be the difference between the 
two. I have given rules for composing those side effects in single instructions, 
thus scaling up our definition of side effects to a definition of side effects in 
deterministic DLAf-programs. Using this definition I have given a classification 
of side effects, introducing as most important class that of marginal side effects. 
Finally, I have shown how to use our system for calculating the side effects in a 
real system such as PGA. 

Our definition gives us an intuitive way to calculate the side effects in a 
program. Because of the definition in terms of actual and expected evaluation, 
one can easily adapt the system to ones own needs without having to change 
the definition of side effects. All one has to do is update the expected evaluation 
of a single instruction, or if an entirely new single instruction is added to the 
system, define the actual and expected evaluation for it. 

In Chapter [5] we have seen how a sound axiomatization of the formulas 
in DLAf can be given using the signature {T,_L,_<1 _ > _}. I have not used 
this signature in the first place because I wanted to stick to the conventions 
in dynamic logic. It is noteworthy, however, that this alternative and possibly 
more elegant signature exists, especially because an axiomatization can be given 
for it. 

The definition of side effects given here can point the way to a lot more 
research. I can see future work being done in the following areas: 

• I do not want to claim that the instructions I have defined in DLAf are 
exhaustive. Finding out what possible other instructions might have to 
be added to DLAf can be an interesting project. 

• Another possible subject for future work is the issue of 'negative' side 
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effects I briefly touclicd upon in Section|631 It is an open question wliether 
or not we should allow situations in which 'negative' side effects occur and 
if so, how we should handle tlicni. 

• In this thesis, we have mostly been looking at imperative programs. It 
should be interesting to see if our definition can be extended to, for exam- 
ple, functional programs. Perhaps the work done by Van Eijck in |10j . in 
which he defines functional programs making use of program states, can 
be used for this. 

• Another interesting question, which has been raised before in Chapters [5] 
and ini is that of side effects in non-deterministic programs. It warrants 
further research if it is reasonable to talk about side effects there. One 
can imagine that if the set of side effects in all possibilities of a non- 
deterministic program are the same, the side effects of the whole can be 
defined as exactly that set. What needs to be done if that's not the case 
however, or if we should even want to define side effects of such programs, 
are open questions. 

• In Chapter [71 the concept of marginal side effects was introduced and the 
suggestion was made that this notion can be linked to claims about how 
well- written a program is. I have not pursued such claims, but can imagine 
further research being done in that area. 

• To develop a direct modelling of side effects for the variant of PGA dis- 
cussed in Chapter [5J one can introduce valuation functions as program 
states and define a relational meaning that separates termination from 
deadlock/inaction, say 

The idea of this would be to evaluate X as far as possible, which is a 
reasonable requirement if X is in second canonical form. In addition, we 
could define a termination predicate, e.g. Tcrm(Ar, g), which states that X 
terminates for initial valuation g. Using this we could define a "behavioral 
equivalence" on programs X and Y as follows: 

Wg,g iXlh iff sM/. AND Term(X,.9) iff Tcrm(y,g) 

Using this. Proposition [11] can probably be proven, especially consider- 
ing the in Chapter [3| proven property of DLAf that any program can be 
rewritten into a form in which its steering fragments only contain primitive 
formulas and their negations. 

• Also mentioned in Chapter [5| is the possibility to introduce extra logical 
operators, namely Logical Left And (LLAnd) and its dual Logical Left Or 
(LLOr). Introducing these in DLAf is fairly straight-forward: one only 
needs to define its truth in M: 

M hs 01 I 02 iff M hg 01 V 02 (DLA7c) 
M hg 01 & 02 iff M 01 ^ 02 (DLA7d) 

as well as update the program extraction function: 

nf (0in02) =nf (0i);nf (02) if jnf and □ e {|,&} 
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To introduce the same operator in PGAui, projection functions in the same 
style as the ones given in Chapter |S] for SCLAnd and SCLOr need to be 
defined. 

• Another possible matter for further study is whether side effects can be 
used in natural language. In the Introduction, we have already seen that 
they can occur in the pregnant wife example, where your wife told you 
to do the grocery shopping if she did not call you, which she later did, 
but to tell you that she was pregnant. Possibly there is a role for side 
effects when explaining misunderstandings. There is no doubt that side 
effects can be the cause of misunderstandings. The pregnant wife example 
illustrates that: you could decide to do grocery shopping to be on the safe 
side after her call, claiming her call indicated you might have to shop, only 
to run into your wife at the store also shopping (who, of course, didn't 
want to convey the message that you should shop at all). 

When we take the Dynamic Epistemic Logic system mentioned in [12] , the 
knowledge of two communicating agents is captured by an epistemic state, 
one for each agent. The agents also have an epistemic state for what they 
think is the (relevant) knowledge of the other agent with whom they are 
in conversation. A misunderstanding has occurred when an agent updates 
his own epistemic state in a different way than the other agents expects 
him to. There are a lot of ways in which this can happen, but relevant 
for us is that one of those ways is, when a side effect from an utterance 
occurs of which one of the agents is not aware. 

If one of the agents is aware of the side effect and also of the fact the 
other agent might not be aware of it, it may be recommended to point 
out this side effect to the other agent. In our example of the pregnant 
wife calling, this would mean that you would have to ask your wife on 
the phone that the fact she called leaves you in doubt about the grocery 
shopping. Naturally, though, we recommend a more enthusiastic response 
to the news she is pregnant first. 
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